I must've been living under a rock....cuz I just found about port knocking and why its such a good security measure.
Abstract
Port knocking is the modern equivalent of the secret knock. As the term implies, the door to a service or port will only open if the listed ports in the config file is knocked in a certain order. If the system is fully protected, external entities have no way of finding out the ports to knock and wont be able to uncover/access the "hidden" service.
Consider the following as an Example:
A cloud server has been configured with SSH service for remote administration on port 22. In this case port 22 would have to be open on the system firewall (IPTables/UFW). However, this means that anyone who knows the server's IP (via DNS resolution) would be able to discover the SSH service. This might allow attackers to brute force the ssh login which increases the attack vector of the server. That's when Port Knocking comes in handy! After setting up a script with knockd
to monitor incomming TCP SYN packets for a secret knock, port 22 will always will always appear closed unless those ports mentioned in the config file are knocked in order. [i.e 666, 777, 888]
How Port Knocking Can Add Extra Layer of Server Security (thegeekstuff.com)
Positive
Solid Security Measure
Default Port Knocking would be viable for those small scale servers which are managed by one or two system admins as it adds a layer of security and doesn't directly expose them to the internet. [Security Through Obscurity] This also leads to reduced attack vector. [SSH Brute Force]
Negatives
Failure of Daemon
Port Knocking heavily depends on the Port Knocking daemon. If the daemon were to fail, there is no way of fixing it remotely unless you already have a live session into the server. This is one risk that you will risk taking if you were to deploy this.
Sniffed Knocks
The other worry is that an attacker would be able to sniff your knocks going to the particular ports. Encryption won't necessarily do much as the type of traffic for port knocking is well known and the attacker would only need to know the server' IP and destination ports. Both of which won't be encrypted.
Okei...enough of theory! Lets try this Port Knocking out on a throwaway server.
Installation
Prerequisites
- Internet Connectivity
- Pre configured IPTABLES (Read More)
Knockd
root@Nee7Amsterdam:~# sudo apt-get install knockd
Configuration
Once everything is installed, its time to make changes to the /etc/knockd.conf
.
root@Nee7Amsterdam:~# cat /etc/knockd.conf [options] UseSyslog
[openSSH] sequence = 666,667,668 seq_timeout = 25 command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn
[closeSSH] sequence = 668,667,666 seq_timeout = 25 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn
This config ensures the following:
- If the ports
666, 667 and 668
are knocked in order, a new iptables rule allowing communications to port 22 will be added - If the ports `668, 667 and 6686 are knocked in order, another iptables rule denying communications to port 22 will be added
The next file to look at is, /etc/default/knockd
. The target ethernet adapter has to be set in this file.
root@Nee7Amsterdam:~# cat /etc/default/knockd
control if we start knockd at init or not
1 = start
anything else = don't start
PLEASE EDIT /etc/knockd.conf BEFORE ENABLING
START_KNOCKD=1
command line options
KNOCKD_OPTS="-i eth0"
After completing these steps, all there's left to do is start the service!
root@Nee7Amsterdam:~# sudo service knockd start
Testing
When I tried to SSH into my server, I was getting this Connection Refused
prompt.
However, a simple NMAP scan revealed that port 22 was actually open but filtered
.
Knocking
The following command will knock the specified ports in order.
knock
┌──(root💀nee)-[~] └─# knock nee.amster 666 667 668
After knocking, I was successfully able to negotiate an SSH connection with my server with no issues!
Late to the party...but I guess late is better than not turning up. Time to deploy this on all my servers! 🐍