zeldor.biz

Linux, programming and more

Copyright © 2025
Log in

Knock Knock

January 3, 2011 by Igor Drobot Leave a Comment

SSH is by default very strong, and since a long time without critical bugs. It has strong protection against various hacks and known vulnerabilities. For instance SSH has a password retry wait time of (default) five seconds. This makes the time for brute force attacking an SSH-server very long and not effective. However, sometimes script-kiddies will fork their hacking program making multiple processes of the brute force attack. Sometimes they are able to fork it off upwards of 1000 attempts every 5 seconds. This drastically minimizes the time to crack short passwords.

I think SSH is secure enough, but there is always a way to make it more secure.

Install knock daemon:

1
aptitude install knockd

aptitude install knockd


Don’t try to start it you will get this warning:
knockd disabled: not starting. To enable it edit /etc/default/knockd (warning).

1
2
rhea ~ # vim /etc/default/knockd
# START_KNOCKD=1

rhea ~ # vim /etc/default/knockd # START_KNOCKD=1

1
2
3
4
5
6
7
8
9
10
11
rhea ~ # cat /etc/knockd.conf 
[options]
        logfile = /var/log/knockd.log
 
[opencloseSSH]
    sequence      = 5555,7777,9999
    seq_timeout   = 15
    tcpflags      = syn
    start_command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    cmd_timeout   = 10
    stop_command  = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

rhea ~ # cat /etc/knockd.conf [options] logfile = /var/log/knockd.log [opencloseSSH] sequence = 5555,7777,9999 seq_timeout = 15 tcpflags = syn start_command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT cmd_timeout = 10 stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

Knock to get access to server rhea:

1
id@tower:~$ knock rhea 5555 7777 9999

id@tower:~$ knock rhea 5555 7777 9999

Use flag -v to be verbos

You could use this tiny firewall to test knocking;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
iptables -F                                                                                                                                                                                                                                                                    
iptables -X                                                                                                                                                                                                                                                                    
 
iptables -P INPUT DROP                                                                                                                                                                                                                                                         
iptables -P FORWARD DROP                                                                                                                                                                                                                                                       
iptables -P OUTPUT ACCEPT                                                                                                                                                                                                                                                      
 
iptables -A INPUT -p icmp -j ACCEPT                                                                                                                                                                                                                                            
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT                                                                                                                                                                                                               
 
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset                                                                                                                                                                                                                     
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable                                                                                                                                                                                                         
 
iptables -A INPUT -i lo -j ACCEPT                                                                                                                                                                                                                                              
 
# HTTP                                                                                                                                                                                                                                                                         
iptables -A INPUT -p tcp --dport 80 -j ACCEPT                                                                                                                                                                                                                                  
 
# SSH only from one PC - if you have trouble                                                                                                                                                                                                                                   
iptables -A INPUT -p tcp -s 192.168.1.5 --dport 22 -j ACCEPT

iptables -F iptables -X iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable iptables -A INPUT -i lo -j ACCEPT # HTTP iptables -A INPUT -p tcp --dport 80 -j ACCEPT # SSH only from one PC - if you have trouble iptables -A INPUT -p tcp -s 192.168.1.5 --dport 22 -j ACCEPT

Please remember the knock ports, or you lock yourself out – you have no other chance to get SSH working. (Only Monitor way)

There is a knock client for windows too: Click-me

Filed Under: Debian, Linux, Networking, Windows Tagged With: knock, security, ssh

Categories

Archives

Tags

apache2 Apple arduino ARM Automation backup bash Cisco Cluster Corosync Database Debian Debian squeeze DIY DNS Fedora FTP Fun Icinga Ipv6 KVM Linux LVM MAC OS X Monitoring MySQL Nagios Nginx openSUSE OpenVPN PHP Proxy Python python3 qemu RAID rsync Samba security ssh Ubuntu virtualization Windows Windows 7 Wordpress

Leave a Reply

Your email address will not be published. Required fields are marked *

Yeaaah Cookie! We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok