Set port knocking with knockd and iptables

This document describes a stealth method to externally open ports that, by default, are kept closed by the firewall.

Server side

1. Install knockd

[codesyntax lang="bash"]

apt-get install knockd

[/codesyntax]

2. Configure knockd

[codesyntax lang="bash"]

vim /etc/knockd.conf

[options]
        UseSyslog

[OpenClosePort]
        sequence    = 2123:udp,3543:tcp,6454:udp
        seq_timeout = 5
        Start_Command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport PORT -j ACCEPT
        tcpflags    = syn
        Cmd_timeout = 3600
        Stop_Command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport PORT -j ACCEPT

:wq

[/codesyntax]

Notes:

  • sequence - the sequence required to open desired port
  • seq_timeout - time to wait for a sequence to complete
  • Start_Command - command to be executed when a client makes the correct port-knock
  • Stop_Command - command to be executed when Cmd_Timeout seconds have passed since Start_Command has been executed
  • Cmd_Timeout - time to wait between Start_Command and Stop_Command in seconds
  • PORT - port to be opened

3. Enable knockd

 

[codesyntax lang="bash"]

vim /etc/default/knockd

:%s/START_KNOCKD=0/START_KNOCKD=1/g
:%s/#KNOCKD_OPTS="-i eth1"/KNOCKD_OPTS="-i eth0"/g
:wq

[/codesyntax]

 

4. Start knockd

[codesyntax lang="bash"]

/etc/init.d/knockd restart

[/codesyntax]

Client side

1. Knock the port

[codesyntax lang="bash"]

nmap -Pn --host_timeout 201 --max-retries 0 -sU -p 2123 host; nmap -Pn --host_timeout 201 --max-retries 0 -p 3543 host; nmap -Pn --host_timeout 201 --max-retries 0 -sU -p 6454 host

[/codesyntax]

2. Check if the port is open

[codesyntax lang="bash"]

telnet host PORT

[/codesyntax]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.