zeldor.biz

Linux, programming and more

Copyright © 2023
Log in

Knock Knock

January 3, 2011 by Igor Drobot Leave a Comment

SSH is by default very strong, and since a long time without critical bugs. It has strong protection against various hacks and known vulnerabilities. For instance SSH has a password retry wait time of (default) five seconds. This makes the time for brute force attacking an SSH-server very long and not effective. However, sometimes script-kiddies will fork their hacking program making multiple processes of the brute force attack. Sometimes they are able to fork it off upwards of 1000 attempts every 5 seconds. This drastically minimizes the time to crack short passwords.

I think SSH is secure enough, but there is always a way to make it more secure.

Install knock daemon:

1
aptitude install knockd

aptitude install knockd


Don’t try to start it you will get this warning:
knockd disabled: not starting. To enable it edit /etc/default/knockd (warning).

1
2
rhea ~ # vim /etc/default/knockd
# START_KNOCKD=1

rhea ~ # vim /etc/default/knockd # START_KNOCKD=1

1
2
3
4
5
6
7
8
9
10
11
rhea ~ # cat /etc/knockd.conf 
[options]
        logfile = /var/log/knockd.log
 
[opencloseSSH]
    sequence      = 5555,7777,9999
    seq_timeout   = 15
    tcpflags      = syn
    start_command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    cmd_timeout   = 10
    stop_command  = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

rhea ~ # cat /etc/knockd.conf [options] logfile = /var/log/knockd.log [opencloseSSH] sequence = 5555,7777,9999 seq_timeout = 15 tcpflags = syn start_command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT cmd_timeout = 10 stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

Knock to get access to server rhea:

1
id@tower:~$ knock rhea 5555 7777 9999

id@tower:~$ knock rhea 5555 7777 9999

Use flag -v to be verbos

You could use this tiny firewall to test knocking;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
iptables -F                                                                                                                                                                                                                                                                    
iptables -X                                                                                                                                                                                                                                                                    
 
iptables -P INPUT DROP                                                                                                                                                                                                                                                         
iptables -P FORWARD DROP                                                                                                                                                                                                                                                       
iptables -P OUTPUT ACCEPT                                                                                                                                                                                                                                                      
 
iptables -A INPUT -p icmp -j ACCEPT                                                                                                                                                                                                                                            
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT                                                                                                                                                                                                               
 
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset                                                                                                                                                                                                                     
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable                                                                                                                                                                                                         
 
iptables -A INPUT -i lo -j ACCEPT                                                                                                                                                                                                                                              
 
# HTTP                                                                                                                                                                                                                                                                         
iptables -A INPUT -p tcp --dport 80 -j ACCEPT                                                                                                                                                                                                                                  
 
# SSH only from one PC - if you have trouble                                                                                                                                                                                                                                   
iptables -A INPUT -p tcp -s 192.168.1.5 --dport 22 -j ACCEPT

iptables -F iptables -X iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable iptables -A INPUT -i lo -j ACCEPT # HTTP iptables -A INPUT -p tcp --dport 80 -j ACCEPT # SSH only from one PC - if you have trouble iptables -A INPUT -p tcp -s 192.168.1.5 --dport 22 -j ACCEPT

Please remember the knock ports, or you lock yourself out – you have no other chance to get SSH working. (Only Monitor way)

There is a knock client for windows too: Click-me

Filed Under: Debian, Linux, Networking, Windows Tagged With: knock, security, ssh

Categories

Archives

Tags

apache2 Apple arduino ARM Automation backup bash Cisco Cluster Corosync Database Debian Debian squeeze DIY DNS Fedora FTP Fun Icinga Ipv6 KVM Linux LVM MAC OS X Monitoring MySQL Nagios Nginx openSUSE OpenVPN PHP Proxy Python python3 qemu RAID rsync Samba security ssh Ubuntu virtualization Windows Windows 7 Wordpress

Leave a Reply

Your email address will not be published. Required fields are marked *