Sunday, October 5, 2008

Installing and using knockd to allow temporary SSH access

knockd is a port-knock server which runs silently on your machine until it sees a specific port-sequence. When it sees the specific port sequence it performs an action associated with that sequence. Port sequence and the associated actions can be easily configured in knockd's configuration file /etc/knockd.conf.
In below example we will use knockd to, upon seeing a specific sequence of port knocks, open a "hole" in our firewall to allow ssh access from outside. Dont worry this is not insecure as you will be the only one knowing that port sequence, unless ofcourse you share that sequence with some one else :)
To accomplish this we will need to do following:
  • install knockd
  • configure it to allow ssh access on seeing a specific port sequence
  • configure it to close ssh access on seeing a different port sequence
Install knockd using: sudo apt-get install knockd. This installation will create a file /etc/knockd.conf.
Open this file using “sudo nano /etc/knockd.conf”.The file will look something like this:



logfile = /var/log/knockd.log


sequence = 7000,8000,9000

seq_timeout = 5

command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCE$

tcpflags = syn


sequence = 9000,8000,7000

seq_timeout = 5

command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCE$

tcpflags = syn


we need to change the sequence and seq_timeout lines for both, [openSSH] and [closeSSH] sections. This is just a precautionary measure as sequence 7000,8000,9000 is a very common and well known. So change the file to look as one below. You can use any sequence that you like but avoid commonly used ports. You can even use ports that are closed/blocked on ur system as knockd works on link layer and will see all the traffic destined for your system even for closed or blocked ports. Dont change command, tcpflags or logfile options. After you have changed the file save it.

Now you need to edit your /etc/default/knockd. Open that file using “sudo nano /etc/default/knockd”. Change it to match the following. This will ensure that knockd is always run as daemon at init i.e at system startup.

The “-i eth0” will ensure that knockd listens on eth0 for port knock sequence. You can change it to whatever interface that you want knockd to listen at.

Now start knockd. You need to do this just this one time.

sudo /etc/init.d/knockd start

Now you are up and running :). knockd will open ssh access for you on seeing the specific port knock sequence. To try this try SSHing this computer from any other machine connected to this computer on interface that you selected in /etc/default/knockd which in my case is eth0. Your firewall will not allow access. To get access you will need to knock at the doors of your computer and for that you will need knock client on the machine that you are using to do ssh. If you are using a linux machine install knockd package and if you are using windows machine you can use windows client from here.

To knock issue following command ( replace with the IP of your computer)

knock 5000 7000 9000

This will open ssh access for you. Now use ssh to access your gateway. When you are finished issue following command to close the ssh access.

knock 6000 7000 8000