Debian or Ubuntu Linux comes with knockd. It is a port-knock server. It listens to all traffic on an ethernet and/or PPP interface created by VPN/dial-up pppd, looking for special “knock” sequences of port-hits. A knock client makes these port-hits by sending a TCP or UDP packet to a port on the server. This port need not be open — since knockd listens at the link-layer level, it sees all traffic even if it’s destined for a closed port. When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access.
Open a terminal or login to the remote server using the ssh client. Type the following apt-get command as root user to install knockd server:
$ sudo apt-get install knockd
[sudo] password for vivek: Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: knockd 0 upgraded, 1 newly installed, 0 to remove and 4 not upgraded. Need to get 27.6 kB of archives. After this operation, 168 kB of additional disk space will be used. Get:1 http://mirrors.kernel.org/debian/ stable/main knockd amd64 0.5-3 [27.6 kB] Fetched 27.6 kB in 1s (19.5 kB/s) Selecting previously deselected package knockd. (Reading database ... 352407 files and directories currently installed.) Unpacking knockd (from .../knockd_0.5-3_amd64.deb) ... Processing triggers for man-db ... Setting up knockd (0.5-3) ... knockd disabled: not starting. To enable it edit /etc/default/knockd ... (warning).
Edit the file /etc/knockd.conf, enter:
$ sudo vi /etc/knockd.conf
Update the config file as follows. Feel free to set the sequence port number as per your setup 2022, 3022, 4022:
[options] UseSyslog [openSSH] sequence = 2022,3022,4022 seq_timeout = 5 command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn [closeSSH] sequence = 4022,3022,2022 seq_timeout = 5 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn
Save and close the file. Edit the file /etc/default/knockd, enter:
$ sudo vi /etc/default/knockd
Optional: set an interface name such as eth0 or ppp0 as per your setup:
Save and close the file.
How do I start / stop / restart kknockd?
Type the following commands:
sudo service knockd start #<-- start server sudo service knockd stop #<-- stop server sudo service knockd restart #<-- restart server sudo service knockd status #<-- see status server
sudo /etc/init.d/knockd start #<-- start server sudo /etc/init.d/knockd stop #<-- stop server sudo /etc/init.d/knockd restart #<-- restart server sudo /etc/init.d/knockd status #<-- see status server
How do I knock port?
You need to use the knock command. It is a port-knock client. To open tcp port #22 for sshd at 220.127.116.11 ip address, enter:
$ knock -v 18.104.22.168 2022 3022 3022
hitting tcp 22.214.171.124:2022 hitting tcp 126.96.36.199:3022 hitting tcp 188.8.131.52:4022
How do I close down the port?
The syntax is:
$ knock -v 184.108.40.206 4022 3022 2022
How do I open UDP port?
The syntax is:
$ knock -v -u 220.127.116.11 9090
You can also combine TCP and UDP port as follows:
$ knock server1.cyberciti.biz 2022:tcp 9090:udp 4022:tcp
How do I verify that port was opened or closed on the server?
Use the ssh client as follows:
$ ssh [email protected]
# iptables -L INPUT -v -n
# iptables -L INPUT -v -n | grep :22
Please note that port knocking is nothing but security by obscurity. I suggest that:
- Secure OpenSSH properly using our “OpenSSH Server Best Security Practices” guide.
- Use a better solution such as fwknop which implements an authorization scheme called Single Packet Authorization (SPA).
- man pages – knockd, knock, and iptables