Port knocking
Port knocking is a simple concept, it’s like you invite friends at home, you tell them, when you arrive, you ring twice short, then once long on the bell, so I that can recognize you then open the door, otherwise it’s a false alarm.
# sudo apt-get update && sudo apt-get upgrade
From this step, we have two methods, first one, passing by IPtables, second one using Knockd package(simple, which I recommend). I’ll go through both of’em.
We need to make sure that ssh server is installed
# sudo apt-get install openssh-server
Then,
# sudo service ssh status
Plan
1. First method : Using Knockd
1.1 Install & Configure Knockd
1.2 Closing the port
1.3 Configure the knock client
2. Second method : Manually using IPTables
1. First method : Using Knockd
1.1 Install & Configure Knockd
Lets start by installing the knockd
# sudo apt install knockd
Then editing the file “knockd.conf”
# sudo nano /etc/knockd.conf
As we can see the default configuration, by the way, it’s important to change theses default values, already known, it could be used to compromise the security of your system.
We modify then the sequence, you can use your preferred sequence. So here in our example, by “knocking” on the ports : 7777, 8888 then 9999 the port of SSH is gonna open. Same goes for closing it.
Next step, we edit the “/etc/default/knockd”
# sudo nano /etc/default/knockd
Look for the line : “START_KNOCKD”, uncomment it, then set the value to 1
As for line “KNOCKD_OPTS” we set its value the active interface in our machine. We could use ifconfig or tcpdump -D
In my case its the “ens33” interface.
Saves then quit the “knockd” file.
We can now, start, enable and check the status of knockd
# sudo systemctl start knockd
# sudo systemctl enable knockd
# sudo systemctl status knockd
1.2 Closing the port
We need to close ssh port, since the knockd service role is to open/close a port.
We need to active the ufw firewall, then check its status
# sudo ufw enable
# sudo ufw status numbered
As we can see, clearly all ports are closed. I mean lets jump to our Kali machine to try to connect to the Ubuntu machine via SSH. We’ll get a connection timeout error!
# ssh <Username>@<Server IP Address>
1.3 Configure the knock client
# sudo apt install knockd
# knock -v <Server IP Address> <Sequence>
In my case :
# knock -v 192.168.205.129 7777 8888 9999
To close the port we send the closing knock sequence
# knock -v 192.168.205.129 4444 5555 6666
2. Second method : Manually using IPTables
Well, first we need to make sure that ssh is running
# service ssh status
Next, we need to create a bash script, that going to contains our commands to add new rules in Iptables
And put into it the following script
#! /bin/bash###-X, --delete-chain [chain].
###-F To delete all the rulesiptables -X
iptables -Fiptables -X INTO-P2
iptables -X INTO-P3
iptables -X INTO-P4#To accept established connexions.iptables -A INPUT -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state RELATED -j ACCEPT#Create new chains with their rulesiptables -N INTO-P2
iptables -A INTO-P2 -m recent --name P1 --remove
iptables -A INTO-P2 -m recent --name P2 --set
iptables -A INTO-P2 -j LOG --log-prefix "INTO P2: "
iptables -N INTO-P3
iptables -A INTO-P3 -m recent --name P2 --remove
iptables -A INTO-P3 -m recent --name P3 --set
iptables -A INTO-P3 -j LOG --log-prefix "INTO P3: "
iptables -N INTO-P4
iptables -A INTO-P4 -m recent --name P3 --remove
iptables -A INTO-P4 -m recent --name P4 --set
iptables -A INTO-P4 -j LOG --log-prefix "INTO P4: "
iptables -A INPUT -m recent --update --name P1#We need to define the sequence, for example 6666,7777, 8888, 9999,
#The more random the sequence is, the better it is.
iptables -A INPUT -p tcp --dport 6666 -m recent --name P1 --setiptables -A INPUT -p tcp --dport 7777 -m recent --rcheck --seconds 10 --name P1 -j INTO-P2iptables -A INPUT -p tcp --dport 8888 -m recent --rcheck --seconds 10 --name P2 -j INTO-P3iptables -A INPUT -p tcp --dport 9999 -m recent --rcheck --seconds 10 --name P3 -j INTO-P4#At this moment we open the ssh port (if the sequence is respected)
iptables -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 10 --name P4 -j ACCEPT#A by default rule to keep ssh port closed (if the sequence is not respected)
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j DROP
You should have something like this:
Before executing the bash script, lets jump into our Kali machine to test a simple ssh connection.
Lets go back to Ubuntu to execute the bash script
[Kali]
We can see that connection is blocked.
Now, lets knock the ports 6666, 7777, 8888 and 9999
And here you have it, thanks for reading :)
If you enjoy my stories, you can follow me on Twitter
