May 10, 2013 at 15:41Port knocking or how to protect yourself from brute by ssh
It will be about the fight against annoying bruteforce and port scanners, which in every possible way strive to gain access to the server. The article will talk about Port Knocking technology , which allows you to secure access to the server by hiding ports.
The Technology Port Knocking is an interesting feature. It makes several attempts to connect to closed ports. You ask: “Why is this necessary?” Let's imagine that you came for an interview in some organization with access control. First you get to the (1) security post, where a pass is written to you, then (2) you get to the personnel department, where you fill out the questionnaire and talk with you, and ultimately (3) you get to the manager’s office, which conducts the final conversation and makes a decision. Now let's imagine what would happen if everyone wanted to go directly to the manager? Port Knocking
Technologymakes a sequence of attempts to connect to closed ports. Even though all ports are closed, you can track all connection attempts in the log files of the firewall. The server, most often, does not respond to these connections in any way, but it reads and processes them. But if the series of connections was previously designated by the user, then a certain action will be performed. As an example, connecting to an SSH service on port 22. Port Knocking allows you to perform more than just this action. A trigger allows you to perform other actions (say, power off, system reboot, etc.).
On the remote machine we have FreeBSD 9.1
Port Knocking consists of two programs:
- server (knockd)
- client (knock)
I will give an example of server part configuration.
Go to the directory with the port and configure.
We put a marker on the server side, and then we collect and install the package.
Now let's get down to setting it up.
First, copy the config.
There are many variations of config settings on the network, I will give mine.
knockd.conf
We save the config, add it to the autorun and start the service.
First, enable Firewall support if you have it disabled (as it was in my case)
I do not advise you to do this procedure remotely, since we will not receive all connections and access via ssh.
Note: If you did not obey and did this action remotely, then the problem can be solved by including the root login in sshhd-config.
/etc/pf.conf
Making rules in Firewall settings
Reboot.
To connect, I used a third-party client for MacOS - hping.
A little about the technology itself
The Technology Port Knocking is an interesting feature. It makes several attempts to connect to closed ports. You ask: “Why is this necessary?” Let's imagine that you came for an interview in some organization with access control. First you get to the (1) security post, where a pass is written to you, then (2) you get to the personnel department, where you fill out the questionnaire and talk with you, and ultimately (3) you get to the manager’s office, which conducts the final conversation and makes a decision. Now let's imagine what would happen if everyone wanted to go directly to the manager? Port Knocking
Technologymakes a sequence of attempts to connect to closed ports. Even though all ports are closed, you can track all connection attempts in the log files of the firewall. The server, most often, does not respond to these connections in any way, but it reads and processes them. But if the series of connections was previously designated by the user, then a certain action will be performed. As an example, connecting to an SSH service on port 22. Port Knocking allows you to perform more than just this action. A trigger allows you to perform other actions (say, power off, system reboot, etc.).
Installation on FreeBSD
On the remote machine we have FreeBSD 9.1
Port Knocking consists of two programs:
- server (knockd)
- client (knock)
I will give an example of server part configuration.
# cd /usr/ports/
# make search key=knocking
Port: doorman-0.81_1
Path: /usr/ports/security/doorman
Info: Port knocking implementation, both daemon and client
Maint: lupe@lupe-christoph.de
B-deps: lsof-4.88.d,8
R-deps: lsof-4.88.d,8
WWW: http://doorman.sourceforge.net/
Port: knock-0.5_1,1
Path: /usr/ports/security/knock
Info: Flexible port-knocking server and client
Maint: sbz@FreeBSD.org
B-deps:
R-deps:
WWW: http://www.zeroflux.org/projects/knock
Go to the directory with the port and configure.
cd /usr/ports/security/knock
make config
We put a marker on the server side, and then we collect and install the package.
Configuration
Now let's get down to setting it up.
First, copy the config.
# cd /usr/local/etc/
# cp knockd.conf.sample knockd.conf
There are many variations of config settings on the network, I will give mine.
knockd.conf
[options]
logfile = /var/log/knockd.log
interface = em0
[opencloseSSH]
sequence = 7000:udp,7007:tcp,7777:udp
seq_timeout = 5
tcpflags = syn
start_command = /sbin/pfctl -t good_hosts -T add %IP%
cmd_timeout = 10
stop_command = /sbin/pfctl -t good_hosts -T delete %IP%
[open22]
sequence = 7134:tcp,7675:tcp,7253:udp
seq_timeout = 5
tcpflags = syn
command = /sbin/pfctl -t good_hosts -T add %IP%
[close22]
sequence = 7253:udp,7675:tcp,7134:tcp
seq_timeout = 5
tcpflags = syn
command = /sbin/pfctl -t good_hosts -T delete %IP%
We save the config, add it to the autorun and start the service.
# cd /usr/local/etc/rc.d/
# echo knockd_enable=\"YES\" >> /etc/rc.conf
# service knockd start
Firewall setup
First, enable Firewall support if you have it disabled (as it was in my case)
echo pf=\"YES\" >> /etc/rc.conf
I do not advise you to do this procedure remotely, since we will not receive all connections and access via ssh.
Note: If you did not obey and did this action remotely, then the problem can be solved by including the root login in sshhd-config.
/etc/pf.conf
ext_if="rl0"
table persist
block in on $ext_if all
pass in on $ext_if inet proto tcp from \
to $ext_if port 22 keep state
Making rules in Firewall settings
/sbin/ipfw add 100 allow tcp from %IP% to me 22 keep-state
/sbin/ipfw delete 100
Reboot.
Knocking
To connect, I used a third-party client for MacOS - hping.
# knock -v *e*m*o*c*.ru 7000:udp,7007:tcp,7777:udp
hitting udp *1.*0*.*3*.*0:7000
hitting tcp *1.*0*.*3*.*0:7007
hitting udp *1.*0*.*3*.*0:7777
# ssh *e*m*o*c*.ru -l root
Password:
Last login: Thu May 9 11:30:40 2013 from *****
FreeBSD 9.1-RELEASE-p3 (GENERIC) #0: Mon Apr 29 18:11:52 UTC 2013
root@*e*m*o*c*:/root #