portknocking question

Sat Oct 7 19:04:21 UTC 2006

On Sat, 07 Oct 2006 10:33:14 -0700
Noah <admin2 at enabled.com> wrote:

> Knock Review:
> This is nice but still requires closing the port as a step when done.  

Not necessarily, you can use a time out with the relevant iptables command 
- see below.

> It would be nice to automatically close the ssh port when the user 
> disconnects from the ssh port. 

You probably don't need to do this - indeed you can "close" the port almost
immediately after connecting, without losing your session:  again, see
below. 

> Also I am not clear but I don't think 
> there is a way to grab the source IP address, right?

Not sure what you mean by "grab", but see below ;-)

As it happens I've been playing with "knock" myself.

You can easily close the connection automatically. One way is to set the
config file to time out the connection after a defined number of seconds
by reversing/deleting  an iptables rule. This does *not* disconnect the
currently connected "knocker" as long as the iptables set up on the server/
target machine include something like

iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

In that example, any existing ssh connection , for example , will continue
even after knockd reverses the iptables rule it creates to allow access,
because the connection is "established".

The IP address is coded in to the iptables rules by the command run
after a successful "knock sequence". In /etc/knockd.conf :

start_command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

( in the case where you want to open up ssh access )

%IP% translates to the IP address of the successful "knocker"

stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

deletes that line and can be made to run after the time set by 
cmd_timeout = XX  where XX can be a number of seconds

The IP address of the successful connection is logged
to /var/log/knockd.log, and of course you can log ssh connections at a
verbose level in /var/log/auth.log if you wish ( set with a log line in
your iptables )

Notice that setting a default iptables INPUT policy of "DROP" simplifies
matters, since it means any appended rules can just go at the end of the
chain -anything not matched in the chain will be dropped anyway at the end
of the chain,  so no specific final "DROP" line is needed. The trap here is
that you *must* allow the lo interface and something like
"established,related" as in the example above, or you will lock yourself
out. the alternative is to use an "ACCEPT" default policy and substitute
the INPUT -A with INPUT -I to "insert" a rule instead of "appending" it - I
prefer the default "DROP" policy method though.

The other file to check is /etc/default/knockd . You will probably want
knockd to run as a daemon at start up by un-commenting the line
START_KNOCKD=1

The default interface is eth0 but that can be changed if needed ( same
"default" file) then you just restart the daemon with
'sudo /etc/init.d/knockd restart "

I recommend testing your setup from another internet connection ( dialup
will do) before relying on it, and of course all the usual security
measures should be in place - port knocking is not a security cure-all but
a useful access tool. Using ssh keypairs and disabling password logins
might be a good start.... but I digress ;)

If the machine you are "knocking" to is behind a NAT router make sure the
relevant target ports are forwarded and protected, of course.

Hope this helps, and all that :-)

Peter