dcsimg

Tip of the Trade: Knockd

By Carla Schroder (Send Email)
Posted Aug 8, 2006


Port-knocking has long been kicked around as a nearly fool-proof tactic for keeping intruders out of the network, while unfailingly allowing only legitimate connections. It works like this: The "secret knock" daemon listens on a network interface for a specific sequence of "knocks," or port hits. The client "knocks" by sending TCP or UDP packets to certain ports on the server. You don't need to leave any ports open for this work, because the daemon listens at the link-layer level. When the "secret knock" daemon detects the correct sequence of port hits, opens a port, and allows incoming traffic. Port-knocking is one way to keeps intruders out of your network. Knockd brings makes it easy to have a secret knock.

Thus, to all outward appearances the server has no open ports, except for clients that know the correct "shave-and-a-haircut" knock.

Although the concept is attractive, implementation has been difficult, requiring some rather complex scripting and iptables hacks. Complexity is the enemy of security, and while accidentally locking yourself out of your own servers can be considered the ultimate security measure, it has obvious downsides.

Knockd is easy to use and has a number of attractive features. Currently, it runs only on Linux and works in conjunction with iptables.

Both the knock server and client are required, and you should know how to write iptables rules. Configuring the server is blessedly simple. A common example is setting it up for SSH. The server configuration looks like this:

#/etc/knockd.conf
[openSSH]
sequence    = 7000,8000,9000
seq_timeout = 5
command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags    = syn

The client command looks like this:

$ knock -v 192.168.1.25 7000 8000 9000
Then, fire up your SSH client and you're in business.

You must also pay attention to closing the port when you're finished. You can do this from the client side, or configure the server to take care of it automatically. If you're concerned about someone sniffing your transmissions and possibly detecting your knock sequence, Knockd has a one_time_sequences feature that rotates multiple knock sequences.

Of course, you must still pay attention to basic security measures, such as strong passwords, access controls on applications, and keeping your systems updated. Knockd adds a useful and strong barrier to unauthorized entry on top of this foundation. Visit the Knockd Wiki for more information.

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.