Go2Linux | Linux Operating System

A site dedicated to: Linux Operating System

How to open your firewall remotely only for you -knockd-

Date: 2009-03-29 00:00:00 -0400

I am paranoid about security, I am always looking for new ways to secure my server or even my Desktop PC, which sometimes I left up and running.

One of the beauties about Linux is that it is really easy to administer it remotely, but that is also one of the major concerns about Linux security, if you have weak passwords, you are exposed to attacks, there are lots of ways to protect yourself, one of the easiest is to close the firewall, and only permit access to port 22 from some specific IPs, but this is not an option if you travel a lot or if you do not have a fixed IP, at the place you use to be when you access your remote server.

Another approach is to have something like DenyHosts or fail2ban, both of them do almost the same, they block a port, (22 in the most used cases) when a threshold point of number of tries have been reached.

Now I have found another way, you may have your firewall closed by default, but you will be able to open it when you need to access your server, and closed it again after use, the package that will do the magic is knockd, and as its name says, you will knock the door of the firewall and it will open itself for you, but you will need a secret type of knock, it is like the "Open/Close, Simsim" (Open/Close sesame).

Now, let's go to the point, and see how to install and use knockd

Installing it

You may download the knockd source tarball or install it on Debian with

sudo aptitude install knockd

If you install it on Debian be sure to enable it from: /etc/default/knockd, file, that has this content:

################################################
#
# knockd's default file, for generic sys config
#
################################################

# control if we start knockd at init or not
# 1 = start
# anything else = don't start
#
# PLEASE EDIT /etc/knockd.conf BEFORE ENABLING
START_KNOCKD=0

# command line options
#KNOCKD_OPTS="-i eth1"

Configuring it

The configuration file is: /etc/knockd.conf, and has this content by default:

[options]
        UseSyslog

[openSSH]
        sequence    = 7000,8000,9000
        seq_timeout = 5
        command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn

[closeSSH]
        sequence    = 9000,8000,7000
        seq_timeout = 5
        command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn

As you see it has a port sequence to open the firewall and another to close it, it is highly advisable to change the ports and the order of them, as this default port sequence is known and to use it, will let your PC vulnerable, now let's analyze how it works:

It will add a rule to your iptables firewall when the correct sequence is sent, and will do it, for the IP that is knocking at the door, you can modify and port sequence and the rule to match your personal configuration, let's see an example of configuration.

Example

First create our firewall, and be sure to close the ssh port, actually I am going to close all ports.

iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Check if it is installed, after running the above script as root:

sudo iptables -L

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination   

As we can see all ports are closed, and I was not able to ssh to the server running those rules, be sure to change eth0 for the right name of you NIC or do not include any reference to any NIC to apply the rules on all NICs available.

Now we will use the default blockd configuration file:

And will start it as daemon, editing the /etc/default/knockd file, and changing

START_KNOCKD=0

to

START_KNOCKD=1

and then start it manually,

/etc/init.d/knockd start

Test it

From another machine you can use telnet to open the door

telnet ip.of.the.server 7000

telnet ip.of.the.server 8000

telnet ip.of.the.server 9000

Now if at the server side you run:

sudo iptables -L

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     tcp  --  200.87.XX.X          0.0.0.0/0           tcp dpt:22 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  

As we can see now there is an entry for the ip of my second computer, the X was changed by for obvious reasons.

Now to close the door behind us, let's use telnet again:

telnet ip.of.the.server 9000

telnet ip.of.the.server 8000

telnet ip.of.the.server 7000

Second Example

If we want to automatically close the door once we are in, we can change the /etc/knockd.conf to this:

[options]
        UseSyslog

[opencloseSSH]
        sequence    = 7000,8000,9000
        seq_timeout = 5
        start_command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        cmd_timeout     = 30
        stop_command    = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn

Now, once we send the open sequence, we will have 30 seconds to log in the machine, and then the port will be closed again, once in, it doest not matter if the port is closed again, we will remain in, because of the:

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

line of the firewall, which says that any ESTABLISHED connection should remain connected.

Remember to change the default port sequence, as the default is not secure, you can also mix tcp and udp ports, and add more than three ports in the sequence.

References: Simple Linux Firewall knockd project at zeroflux

If you liked this article please share it.

powered by TinyLetter

If you want to contact me in any other way, please use the contact page.