zeldor.biz

Linux, programming and more

Knock Knock

by Leave a Comment

SSH is by default very strong, and since a long time without critical bugs. It has strong protection against various hacks and known vulnerabilities. For instance SSH has a password retry wait time of (default) five seconds. This makes the time for brute force attacking an SSH-server very long and not effective. However, sometimes script-kiddies will fork their hacking program making multiple processes of the brute force attack. Sometimes they are able to fork it off upwards of 1000 attempts every 5 seconds. This drastically minimizes the time to crack short passwords.

I think SSH is secure enough, but there is always a way to make it more secure.

Install knock daemon:

1

aptitude install knockd


Don’t try to start it you will get this warning:
knockd disabled: not starting. To enable it edit /etc/default/knockd (warning).

1
2

rhea ~ # vim /etc/default/knockd
# START_KNOCKD=1
1
2
3
4
5
6
7
8
9
10
11

rhea ~ # cat /etc/knockd.conf 
[options]
        logfile = /var/log/knockd.log
 
[opencloseSSH]
    sequence      = 5555,7777,9999
    seq_timeout   = 15
    tcpflags      = syn
    start_command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    cmd_timeout   = 10
    stop_command  = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

Knock to get access to server rhea:

1

id@tower:~$ knock rhea 5555 7777 9999

Use flag -v to be verbos

You could use this tiny firewall to test knocking;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

iptables -F                                                                                                                                                                                                                                                                    
iptables -X                                                                                                                                                                                                                                                                    
 
iptables -P INPUT DROP                                                                                                                                                                                                                                                         
iptables -P FORWARD DROP                                                                                                                                                                                                                                                       
iptables -P OUTPUT ACCEPT                                                                                                                                                                                                                                                      
 
iptables -A INPUT -p icmp -j ACCEPT                                                                                                                                                                                                                                            
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT                                                                                                                                                                                                               
 
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset                                                                                                                                                                                                                     
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable                                                                                                                                                                                                         
 
iptables -A INPUT -i lo -j ACCEPT                                                                                                                                                                                                                                              
 
# HTTP                                                                                                                                                                                                                                                                         
iptables -A INPUT -p tcp --dport 80 -j ACCEPT                                                                                                                                                                                                                                  
 
# SSH only from one PC - if you have trouble                                                                                                                                                                                                                                   
iptables -A INPUT -p tcp -s 192.168.1.5 --dport 22 -j ACCEPT

Please remember the knock ports, or you lock yourself out – you have no other chance to get SSH working. (Only Monitor way)

There is a knock client for windows too: Click-me

Categories

Archives

Tags

apache2 Apple arduino ARM Automation backup bash Cisco Cluster Corosync Database Debian Debian squeeze DIY DNS Fedora FTP Fun Icinga Ipv6 KVM Linux LVM MAC OS X Monitoring MySQL Nagios Nginx openSUSE OpenVPN PHP Proxy Python python3 qemu RAID rsync Samba security ssh Ubuntu virtualization Windows Windows 7 Wordpress

Leave a Reply

Your email address will not be published. Required fields are marked *