jump to navigation

Port Knocking : How to safely connect from anywhere to your closed Linux firewall January 18, 2011

Posted by Tournas Dimitrios in Linux.

In general all the great ideas are the simple ones. Many times we see a great idea in practice and we wander why didn’t we thought of that before? It is just so simple… The first time I have seen the knockd project I liked it instantly. The idea is so simple, and though so effective. Knockd is a port-knocking application that silently runs on a server passively listening to network traffic. Once it will see a port sequence it has an action configured for it, it will run that action. We can see this as a remote control to our server: once we hit the right button it will take the appropriate action! How does a port knocker work?

  • we install the port knocker daemon on our server (knockd)
  • we configure some port sequences (tcp, udp, or both), and the appropriate actions for each sequence.
  • the knockd daemon will be running in the background, at low level passively on the network interface. It is completely stealth and it will not open any ports on the server.
  • once it will see a port sequence it will run the configured action for the sequence.

A possible scenario to allow SSH access only to a specific ip-address would be : iptables -L -n Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp — tcp dpt:22 DROP tcp — tcp dpt:22 This scenario is of course very restrictive , and easily bypassed with ip spoofing techniques …introducing port knocking ” . In the following article I will show you how to set up and use  port knocking on CentOs 5.x. Unfortunately this utility is not provided from any official repository . Installing Knockd : The knockd package contains both the daemon and the client. Install it on all systems that you will use this functionality (client and servers ) . The installation can be made from :

  1. http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki or download the RPM for Centos5 from:
  2. http://dag.wieers.com/rpm/packages/knock/
  3. directly from the terminal ( caution : my example represents the 32-bit platform) wget http://dag.wieers.com/rpm/packages/knock/knock-0.5-1.el5.rf.i386.rpm

After you download the required RPM package, install it as follows : rpm -i knock-0.5-1.el5.rf.i386.rpm After the installation is completed , configure the knockd.conf file and start the server : /usr/sbin/knockd & To be able to understand whether arriving requests are made , by knocking and recognized by the daemon should open the log file : tail   -f  /var/log/knockd.log Basic configuration of knockd server (ssh): To set up the server you need to edit the configuration file and then start the program. vi  /etc/knockd.conf [options] logfile = /var/log/knockd.log [openSSH] sequence = 7000,8000,9000 seq_timeout = 5 command = /sbin/iptables -I INPUT -s %IP% -p tcp –dport 22 -j ACCEPT tcpflags = syn [closeSSH] sequence = 9000,8000,7000 seq_timeout = 5 command = /sbin/iptables -D INPUT -s %IP% -p tcp –dport 22 -j ACCEPT tcpflags = syn you should never use this sequence, and choose your own port sequence): Basic configuration of knockd client : Install the program on the client and then issue this command at the command line using the knock command followed by the IP Address and the knock sequence. knock  -v   7000  8000  9000 The -v is verbose so you can verify the sequence.

  • Now you can connect to the server using ssh:  ssh
  • Close your connection when you are done :  knock  9000  8000  7000

Basic configuration of knockd server (FTP): You can use knockd not only for the SSH port, there are a few other directives that you should know, lets outline the configuration with which the access to an FTP server can be enabled [opencloseFTP] sequence      = 1000,2000,3000 seq_timeout   = 15 start_command = /sbin/iptables -I INPUT -s %IP% -p tcp –dport ftp -j ACCEPT cmd_timeout   = 10 stop_command  = /sbin/iptables -D INPUT -s %IP% -p tcp –dport ftp -j ACCEPT tcpflags      = syn. You already know the most  directives, from the previous section. New are the directives start_command , Cmd_Timeout and stop_command. Once the correct knock sequence is detected, the directive start_command runs . By the directive Cmd_Timeout the time from running the command from start_command and run the command from stop_command specified. This can be a port for a short period of time to open and then closed with the directive stop_command again . This procedure is usefull  if in the period in which the port is open , connection  to the appropriate service is made and remains until the user disconnects . Basic configuration of knockd server (HTTP): If you want to share the port 80, you can not use the variant from the previous section. In HTTP, each request for a new page creates a new  connection to the server . Therefore, the port 80 open as long as the user wants to access the web server . [openHTTP] sequence = 4000:udp,2000:tcp,6000:udp seq_timeout   = 15 tcpflags = syn command = /sbin/iptables -I INPUT -s %IP% -p tcp –dport http -j ACCEPT [closeHTTP] sequence = 4100:udp,2100:tcp,6100:udp seq_timeout   = 15 tcpflags = syn command = /sbin/iptables -D INPUT -s %IP% -p tcp –dport http -j ACCEPT Starting the knockd server  with the INIT script : The following script allows you to start, stop and restart the knock daemon. Copy the code in the file / etc / rc.d / init.d / knockd.

# chkconfig: - 99 00
# description: Start and stop knockd

# Check that config file exist
[ -f /etc/knockd.conf ] || exit 0

# Source function library
. /etc/rc.d/init.d/functions

# Source networking configuration
. /etc/sysconfig/network

# Check that networking is up
[ "$NETWORKING" = "no" ] && exit 0

start() {
  echo "Starting knockd ..."
  /usr/sbin/knockd &

stop() {
  echo "Shutting down knockd ..."
  kill `pidof /usr/sbin/knockd`

case "$1" in
    echo "Usage: $0 {start|stop|restart}"

exit 0
  • After the init script has been created, change the permissions of the file: chmod 755 /etc/rc.d/init.d/knockd
  • Now the knockd daemon can be manipulated with the following commands : chkconfig –add knockd chkconfig –level 35 knockd on service knockd start

Keep in mind, though, that this *is* vulnerable to observation attacks. You can configure a set of 25 ports mixing udp and tcp connections and no port scanner will ever hit it by accident. However, anyone who is able to intercept your traffic when you use your knock sequence *will* be able to determine your secret knock — unlike, say, ssh, which has strong protection against man-in-the-middle attacks sniffing passwords. knockd is quite useful, but you have to remember its limitations.



1. jasebase - October 21, 2014

In your section: “Basic configuration of knockd client”, you have written:

knock -v 1922.168.1.15 7000 8000 9000

But I think you meant to put:

knock -v 7000 8000 9000

tournasdimitrios1 - October 21, 2014

@jasebase , yes of course .Typo corrected,thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s