Knockd is a Port Knocking implementation and I really like this one for being quite simple and flexible to work with almost any POSIX Operating System.
There are many ways to implement it, but some can be quite confusing and sometimes even useless if you write it wrong.
I personally like the following kind of configuration for it’s simplicity. I’m going to present you the code and then, after these code lines, I’m going to comment it:
/* Start of the knockd.conf file */
[options]
logfile = /var/log/knockd.log
[opencloseSSH]
sequence = 7000,8000,9000
seq_timeout = 15
command = /sbin/iptables -I INPUT -s %IP% -p tcp –dport 22 -j ACCEPT
cmd_timeout = 10
tcpflags = syn
stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp –dport 22 -j ACCEPT
/* End of the knockd.conf file */
I will not get into deeper details about EACH line, but I will explain you how it works in general for this example.
Basically, knockd will be waiting for the three knock attempts (7000, 8000, 9000). The user has 15 seconds between the first knock (7000) until the last knock (9000). Once the server got those 3 knocks in less than 15 seconds, the iptables will open the port 22. Then you have 10 seconds to establish the connection, after these 10 seconds, the “stop_command” will be launched, which in this case will delete the iptables rule above. Remember, the path “/sbin/iptables” may vary, depending on which Linux distro you are using.
In order to make use of the following configuration scheme, it’s important that you have ESTABLISHED,RELATED rules in your iptables firewalling settings. Like this:
iptables -A INPUT -m –state ESTABLISHED,RELATED -j ACCEPT
Otherwise, you may loose your SSH session after those 10 seconds (even if you connected already).
And, of course, the iptables DROP policy:
iptables -P INPUT DROP
If you are interested about different configuration methods, you should check for the official man page. In the shell: man knockd
I wrote this tutorial based on Gentoo Linux, however, knockd should works in different Linux distros and also with any other *NIX.
References:
http://www.zeroflux.org/projects/knock
http://www.portknocking.org/