Striking ports (in English port knocking) is undoubtedly a practice that all of us who manage servers should know, here I explain in detail what this is and how to implement and configure this 😉
Right now those of us who manage a server have SSH access to that server, some we change the default port of SSH and it no longer uses port 22 and others simply leave it like that (something not recommended), however the server has enabled SSH access through some port and this is already a 'vulnerability'.
With Port Knocking we can achieve the following:
1. SSH access is not enabled by any port. If we have SSH configured for port 9191 (for example) that port (9191) will be closed for everyone.
2. If someone wants to access the server by SSH, obviously, they will not be able to, since port 9191 is closed ... but, if we use a 'magic' or secret combination, that port will be opened, for example:
1. I telnet to port 7000 of the server
2. I do another telnet to port 8000 of the server
3. I do another telnet to port 9000 of the server
4. The server detects that someone has made the secret combination (touch ports 7000, 8000 and 9000 in that order) and will open port 9191 so that the login is requested by SSH (it will open it only for the IP from which the combination was made port number satisfactory).
5. Now to close SSH I just telnet to port 3500
6. I'll do another telnet to port 4500
7. And finally another telnet to port 5500
8. Performing this other secret combination that the server detects will close port 9191 again.
In other words, explaining this even more simply ...
With Port Knocking our server may have certain ports closed, but when the server detects that from X IP the correct port combination was made (configuration previously defined in a configuration file) will execute certain command on itself obviously (command also defined in config file).
Is it understood not? 🙂
Table of Contents
How to install a daemon for Port Knocking?
I do it with the package kockd, which will allow us in a very, very simple and fast way to implement and configure Port Knocking.
Install the package:
How to configure Port Knocking with knockd?
Once installed we go on to configure it, for this we edit (as root) the file /etc/knockd.conf:
Explaining the default settings is really simple.
- First, UseSyslog means that to record activity (log) we will use / var / log / syslog.
- Second, in the section [openSSH] It is where obviously the instructions to open SSH will go, first we have the sequence of ports (the secret combination) that is configured by default (port 7000, port 8000 and finally port 9000). Obviously the ports can be changed (in fact I recommend it) as they do not have to be 3 necessarily, they can be more or less, it depends on you.
- Third, seq_timeout = 5 means the time to wait for the secret port combination to take place. By default it is set 5 seconds, this means that once we start to carry out the port knocking (that is, when we telnet to port 7000) we have a maximum of 5 seconds to finish the correct sequence, if 5 seconds pass and we have not finished the port knocking then it will simply be as if the sequence was invalid.
- Fourth, command it doesn't need much explanation. This will simply be the command that the server will execute when it detects the combination defined above. The command that is set by default what it does is open port 22 (change this port for your SSH one) only to the IP that made the correct combination of ports.
- Fifth, tcpflags = syn With this line we specify the type of packets that the server will recognize as valid for the knocking port.
Then there is the section to close the SSH, that the default configuration is nothing more than the same sequence of ports above but in the opposite order.
Here is a configuration with some modifications:
How to start the knockd daemon?
To start it we must first modify (as root) the file / etc / default / knockd:
There we change line number 12 that says: «START_KNOCKD = 0»And change that 0 to 1, we would have:«START_KNOCKD = 1«
Once this is done now we simply start it:
service knockd start
And voila, it is configured and working.
Port Knocking with knockd up and running!
As you can see in the previous configuration, if a port knock is made to port 1000, then to 2000 and finally to 3000 then port 2222 (my SSH) will open, well here another computer executing port knock:
As you can see, when knocking port 1000, stage 1 was registered, then at 2000 it will be stage 2 and finally at 3 with 3000, when doing this, the command that I declared in the .conf is executed and that's it. .
And well here the explanation of use ends 😀
As you can see, Port Knocking is truly interesting and useful, because although we do not simply want to open a port after a certain combination of ports, the command or order that the server will execute may vary, that is ... instead of opening a port we can declare to kill a process, stop a service like apache or mysql, etc ... the limit is your imagination.
Well and so far the article ... I am not by far an expert in this matter but I wanted to share with you this interesting process.