This document describes a stealth method to externally open ports that, by default, are kept closed by the firewall.
Server side
1. Install knockd
[codesyntax lang="bash"]
apt-get install knockd
[/codesyntax]
2. Configure knockd
[codesyntax lang="bash"]
vim /etc/knockd.conf [options] UseSyslog [OpenClosePort] sequence = 2123:udp,3543:tcp,6454:udp seq_timeout = 5 Start_Command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport PORT -j ACCEPT tcpflags = syn Cmd_timeout = 3600 Stop_Command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport PORT -j ACCEPT :wq
[/codesyntax]
Notes:
- sequence - the sequence required to open desired port
- seq_timeout - time to wait for a sequence to complete
- Start_Command - command to be executed when a client makes the correct port-knock
- Stop_Command - command to be executed when Cmd_Timeout seconds have passed since Start_Command has been executed
- Cmd_Timeout - time to wait between Start_Command and Stop_Command in seconds
- PORT - port to be opened
3. Enable knockd
[codesyntax lang="bash"]
vim /etc/default/knockd :%s/START_KNOCKD=0/START_KNOCKD=1/g :%s/#KNOCKD_OPTS="-i eth1"/KNOCKD_OPTS="-i eth0"/g :wq
[/codesyntax]
4. Start knockd
[codesyntax lang="bash"]
/etc/init.d/knockd restart
[/codesyntax]
Client side
1. Knock the port
[codesyntax lang="bash"]
nmap -Pn --host_timeout 201 --max-retries 0 -sU -p 2123 host; nmap -Pn --host_timeout 201 --max-retries 0 -p 3543 host; nmap -Pn --host_timeout 201 --max-retries 0 -sU -p 6454 host
[/codesyntax]
2. Check if the port is open
[codesyntax lang="bash"]
telnet host PORT
[/codesyntax]
Recent Comments