As a system administrator, we should do everything to secure our server from attackers. As the internet grows, threats to our server is also growing. One of the popular entrances to attack our server is through the port on your server that open. If your SSH server is running on your machine, then usually the SSH port is listening. Which means it is open, waiting for the connection.
Leaving the port open for 24 hours, is not recommended because it is vulnerable. Because we can scan the machine to see the open port. Nmap is one of the most popular port scanner that can be used by anyone to scan your machine.
How if we can open the on demand and close the port when it’s not used? Sounds interesting. Now we can do it using knockd application.
What is knockd
Knockd is a port-knock server. It listens to all traffice on an ethernet (or PPP) interface, looking for special “knock” sequences of port-hits. (Source : http://www.zeroflux.org/projects/knock)
How it works
Every application needs a port as a “door” for “listening” requests from other clients. This port usually on open state or close state. There are a lot of ports that available on the server. But there are some ports that agreed by consensus, such as SSH (22), Web (80) and FTP (21).
A basic rule of server security is to open only used ports and close the rest. You may have some ports that are sometimes used and sometimes not. Leaving those ports open while is not being used is not recommended.
When you install knockd, you can let the client “knock” the server with pattern. The knocking sequence can be custom by you. So this knocking pattern will be unique to each other. If the pattern is match, then the port you need will be opened for a period of time and the request can enter your server.
Once you have done with the application, you can close the port manually or automatically.
How to install knockd
On this article, we are using Zorin 9 OS which based on Ubuntu 14.04 LTS. If you are using another distribution please adjust it to the installation method of your distribution.
Knockd is available on Ubuntu repository. Then we can use apt-get to install knockd.
$ sudo apt-get install knockd
Just wait for a few minutes, then your knockd is already setup.
Knock configuration file is located in /etc/knockd.conf
The sample configuration is simple and easy to understand.
We can see that the configuration is divided into three sections. The [options] section, [openSSH] section to open SSH port and [closeSSH] section to close SSH port.
By default [options] section contain only 1 row. It tell us that the knockd log will be recorded using the operating system log application. On Ubuntu, we will see the log in /var/log/syslog; folder.
Of course we can choose not to use SysLog. We can change it into this line, if we want to use custom log.
logfile = /var/log/knockd.log
The above line, will put knock log file in /var/log/knockd.log
[openSSH] sections has identical commands with [closeSSH] section.
sequence = 1200,1300,1400
This is the knock pattern. It will trigger the command below in the section. The value of this parameter is fully customized. We can choose another random number.
seq_timeout = 10
This will tell knockd about how long the knock pattern must be completed in.
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
This parameter will open SSH port on port 22
tcpflags = syn
This parameter indicates that the Client will sends a TCP SYNchronize packet to the server
Setting up the firewall
As we know before, knockd will open particular port temporarily. So we have to make sure firewall is running on the server. Basically, we will close all ports. We are using iptables syntax to do it. Here are the steps.
The 1st command, will allow the current on-going session through firewall.
The 2nd command, will allow the server is able to ping by another machine.
The 3rd command, will reject every requests.
To test the knockd service, we expect that our will firewall will drop all ssh connection. Then knockd will open it temporarily on demand.
Test the knockd on server side
Once the firewall and knockd are setup, next we can test them.
To test the firewall, try remote the server via SSH from another machine. (on this article, client IP is 10.1.6.14 and server IP 10.0.76.224)
$ ssh -l pungki 10.0.76.224
-l = login name
pungki = the user name on the destination server
If the firewall works, then we will get “Connection refused” error message.
The reason we get the error message is the 10.1.6.14 is not allowed to enter the server. If we use this command, we will see no result.
$ sudo /sbin/iptables -L -n |grep 10.1.6.14
Later, we will see the difference after knockd implemented.
Next step, is to test the knockd service.
To run knockd, we need to change knockd default file which located in /etc/default/knockd. Change the value of START_KNOCKD parameter from 0 to 1.
Save the file. Then type :
$ sudo service knockd start
*note : I tried to run the service using /etc/init.d/knockd start , but it always fail to start
Test knockd from Client side
On the client side, we need knock client to “knock” the server. On the client side, we use Centos 5.2. Then we install knock-client from http://pkgs.repoforge.org/knock/knock-0.5.3.el5.rf.i386.rpm
Then run the command below to knock the server :
$ knock -v 10.0.76.224 1200 1300 1400
-v = verbose
10.0.76.224 = Server IP
1200 1300 1400 = knock sequence which defined in the knockd configuration
After knock the server, now we will see that the client IP is now allowed to enter the server.
$ sudo /sbin/iptables -L -n |grep 10.1.6.14
Then we can run SSH to remote the server.
As we can see on the above image, the host name of are different. After SSH to the remote machine established then the host name is changed from @web01 into @dev-machine.
Close the port
After the client done to remote the server, the client need to close the port. To do that, we can use the command below :
$ knock -v 10.0.76.224 1400 1300 1200
Please be careful, to close the port, we put the knock sequence in the opposite order.
After knock the server, we will see a prompt again. To check if the knock was success, we use iptables command again. If it was success, we will see that IP 10.1.6.14 will disappeared.
On the previous one, after knock to open the port, we saw that the client IP Address - 10.1.6.14 - is allowed to enter the server by firewall. Now, after we knock to close the port, if we check with the same iptables command, the rule was deleted.
Close the port Automatically
Since the close port activity is triggered by client, we will have the possibility that the client forget to close the port. We don’t want it to happen. So we can configure knockd to close the port automatically.
In order to do that, we need to customize the knockd configuration file. Here is the sample of modified knockd configuration file.
The command still looks identical. The difference with the previous configuration is we put [openSSH] section and [closeSSH] section in the same block.
Then we add cmd_timeout = 10 line to tell the server to execute the stop_command 10 seconds after start_command is executed. The port will be automatically closed, but the established connection remain connected.
Knockd help us to minimize the risk of leaving all ports open all the time. With knockd, we can open ports we need on demand. To improve security, we need to know the knock sequence before be open the port.