The sys admin's daily grind: Knockd
Horror stories are full of scary characters knocking on doors at night. On Linux, we just call this port knocking, and it can actually be quite useful.
If you prefer not to have an obvious administrative port for your iptables firewall – but do need a secret one – port knocking is an interesting option that can put off script-based attacks. For the ambitious but secretive admin, the tool of choice is Knockd .
The package includes two components: Knock is the client that sends knocking signals, which the Knockd daemon receives.
To monitor the process, Knock, the knocking client, only needs the port number on which to knock and a -v option.
knock -v 10.0.0.42 7000 8000 9000
The tool responds immediately with the command-line output shown in Figure 1.
The /etc/knockd.conf configuration file lets the system administrator specify the action the daemon performs when it receives a valid hit.
See Listing 1 for an example.
01 [options] 02 logfile = /var/log/knockd.log 03 [openSSH] 04 sequence = 7000,8000,9000 05 seq_timeout = 5 06 command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT 07 tcpflags = syn 08 [closeSSH] 09 sequence = 9000,8000,7000 10 seq_timeout = 5 11 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT 12 tcpflags = syn
In a production environment, choose a more unusual port number, of course.
Morse Code for Fun and Profit
If it recognizes the signal, Knockd opens up port 22 for the requesting IP, which passes in its own IP (see Figure 2).
If you knock on the ports in the wrong order, the daemon will shut down SSH access. Scatterbrained admins (like me) have another option – knockd.conf, which looks like this:
start_command = /usr/sbin/iptables -A INPUTU -s %IP% -p tcp --syn --dport 22 -j ACCEPT cmd_timeout = 10 stop_command = /usr/sbin/iptables -D INPUTU -s %IP% -p tcp --syn --dport 22 -j ACCEPT
After knocking, the daemon launches start_command, then waits the number of minutes specified in cmd_timeout before executing stop_command.
Really paranoid system administrators will relish the option of configuring a file with a sequence of ports. Each sequence expires after use.
Buy this article as PDF
Report from the X-Force group says attackers are using TOR to hide their crimes
Future Firefox extensions will be compatible with Chrome.
Better read this if you bought your computer before 2011
Users should upgrade to the new version as soon as possible
Xen project announces a privilege escalation problem for Qemu host systems
Attackers can compromise an Android phone just by sending a text message
PC vendor will pre-install Ubuntu on portables in India.
More embarrassment for Adobe's embattled multimedia tool
Mozilla’s script blocker add-on could be putting malware sites on the whitelist.
The Internet community officially banishes the notoriously unsafe Secure Sockets Layer protocol.