Port Knocking with knockd and Linux - Server Hardening

wop

12.11.2023

Port knocking is like a secret handshake or magic word between client and server. It can be used in various ways, but most commonly as a security feature to deny all contact to a specific service - like SSH - and only allow connections if the client used the correct port knocking sequence. But it is not limited to it and can used to run different commands, too. In this article, I've decided to use knockd.

It works like this:: knockd server checks logs for specific sequence/ pattern (e.x. TCP Syn Packets of 3 specific ports); knockd client runs specific sequence against server (e.x. to open up SSH access over the FW); knockd server recognises sequence and runs a specified command (e.x. to open access via SSH for a specific IP)

Advantages:

adds another security layer (e.x. gainst automated attacks and information gathering)
could run commands in a secure way for third parties

Disadvantages:

limited compatibility/ availability (clients and servers (like AS400 etc)) + on third party machines not possible
knocking sequence could be captured (on client or network traffic)
additional work on network firewalls and IPS solution requiered, since the knocking ports must be reachable + knocking could be interpreted as a (malicious) network/port scans
additional software/configuration on client needed
unreliable on certain networks as high latency and packet loss can interfere with the knocking process/sequence
complexity might require additional user training
make it more difficult to use automation services like Ansible
if the knocking listener service dies or is misconfigured, access could impossible without further preperation (no long term experience)
because of the reasons above, troubleshooting is a pain!

My setup

Linux Ubuntu 22.04 LTS as Client and Server, using knockd as a port knocking service, iptables as firewall, and my goal is to secure my SSH access.

knockd Configuration - Server

Install the service with sudo apt install knockd. The service is not running after installation, but let us check the configuration before we start it.

The first configuration file can be found here /etc/knockd.conf:

[options]
        UseSyslog

[openSSH]
        sequence    = 7000,8000,9000
        seq_timeout = 5
        command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn

[closeSSH]
        sequence    = 9000,8000,7000
        seq_timeout = 5
        command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn

[openHTTPS]
        sequence    = 12345,54321,24680,13579
        seq_timeout = 5
        command     = /usr/local/sbin/knock_add -i -c INPUT -p tcp -d 443 -f %IP%
        tcpflags    = syn

Make sure to change the sequences since they are known and, therefore, not secure. For this article, I am going to remove the [openHTTPS] section as it is not needed for now.

The sequence is a number of ports - 3 TCP ports per default, but you can change the number of ports and the protocol to UDP. In this article, I'll just use the default.

This is the new configuration file:

[options]
        UseSyslog

[openSSH]
        sequence    = 22222,33333,44444
        seq_timeout = 5
        command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn

[closeSSH]
        sequence    = 44444,33333,22222
        seq_timeout = 5
        command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn

Let me explain the command in [openSSH]:: /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT; /sbin/iptables - run iptables; -A INPUT - append rules to the INPUT chain (last position), replace with -I to >insert it to the chain into the first position; -s %IP% - specifies the source with the knockd variable of the IP of the 'knocker'. You can change it to a specific IP, network, or all source IPs; -p tcp - choose TCP as a protocol for SSH; --dport 22 - specify the destination port (SSH); -j ACCEPT - tells iptables what to do with this packet

The second command in closeSSH deletes the previous rule with -D and the rule specifications.

The second configuration file can be found here /etc/default/knockd - in which we 'enable' knockd and specify the interface that we are going to use.

Open it in your favorite text editor, change the value of START_KNOCKD from 0 to 1 to enable knockd.

In the next option, you can specify the interface on which knockd is listening. Uncomment KNOCKD_OPTS and change eth1 with the interface of your choice. You can use ip -br a to find the name:

$ ip -br -c a
lo               UNKNOWN        127.0.0.1/8 ::1/128 
eth0             UP             111.222.111.222/32 metric 100 
ens10            UP             10.20.10.7/32

Starting knockd - Server

So, after the configuration, let us start knockd.

sudo systemctl start knockd and sudo systemctl enable knockd to start the service and make sure that it autostarts after rebooting.

Use sudo systemctl status knockd to ensure the service is running.

The logs can be found in the syslog of the server:

user@test-ubu-01:/var/log$ sudo tail -f syslog
[sudo] password for user: 
[...]
Nov 12 15:20:24 test-ubu-01 knockd: 146.70.225.159: openSSH: Stage 1
Nov 12 15:20:24 test-ubu-01 knockd: 146.70.225.159: openSSH: Stage 2
Nov 12 15:20:24 test-ubu-01 knockd: 146.70.225.159: openSSH: Stage 3
Nov 12 15:20:24 test-ubu-01 knockd: 146.70.225.159: openSSH: OPEN SESAME
Nov 12 15:20:24 test-ubu-01 knockd: openSSH: running command: /sbin/iptables -A INPUT -s 146.70.225.159 -p tcp --dport 22 -j ACCEPT

You can check the firewall rules with sudo iptables --list:

sudo iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  146.70.225.159       anywhere             tcp dpt:ssh

Important: Make sure that you remove all 'allow-all' accept rules for SSH and keep one session open so you don't get locked out.

knockd - Client

Install knockd on the client, and use the knock command:: knock -d 5 -v 195.201.49.99 22222 33333 44444; -d 5 - add a delay of 5 milliseconds between the port hits. It can prevent you from getting hit by various security solutions that block network scans; -v - increase the verbosity; 195.201.49.99 - destination IP; 22222 33333 44444 - the sequence, TCP is the default, use -u to change all ports to UDP, or add :udp or :tcp directly behind the port to specify the protocol per port; more information can be found via man knock

As this is the sequence for [openSSH], the logs and rule set should look like the examples in the previous section. To remove the rule, run the command with the sequence of the [closeSSH] section.

As a side note: I bet you could do the knocking part without any client and use netcat, nmap or some other tool, but I have not tested it yet.

Troubleshooting

Just a small list of tips in case something is not working:

make sure there is no other firewall ruleset active, UFW, for example
- make sure that the order of rules is correct
check the logs on the server /var/log/syslog
make sure the client can reach the necessary ports of the knocking itself (network firewall, IPS, etc)
make sure knockd is enabled, listening to the correct interface and is running

Conclusion

Port knocking is an interesting idea, but I don't plan to implement it anywhere. I've got some ideas for some niche cases, but that's it.

E-Mail hellofoo@ittafoovern.comcom

More reading:

22.11.2023 SSH Server Hardening Guide v2
04.08.2023 Getting started with Fail2Ban on Linux
17.01.2023 SSH Troubleshooting Guide
05.01.2023 SSH - run script or command at login
01.01.2023 Visual guide to SSH tunneling and port forwarding

04.02.2024 Adding a trash can to Linux with trash-cli
20.01.2024 Bandwidth Measurement using netcat on Linux
14.01.2024 Getting started with rsync - Comprehensive Guide
10.01.2024 Cron Jobs on Linux - Comprehensive Guide with Examples
22.11.2023 SSH Server Hardening Guide v2