1. Make sure you have root priviliges.
2. Install knockd package
Code: Select all
apt-get install knock
Code: Select all
emacs -nw /etc/knockd.conf
Code: Select all
[options]
logfile = /var/log/knockd.log
[FTP]
sequence = 99,2,155
seq_timeout = 5
tcpflags = syn
start_command = /sbin/iptables -A INPUT -i eth0 -s %IP% -p tcp --dport 21 -j ACCEPT
cmd_timeout = 600
stop_command = /sbin/iptables -D INPUT -i eth0 -s %IP% -p tcp -dport 21 -j ACCEPT
[SSH]
sequence = 1024,35,2,2048
seq_timeout = 5
tcpflags = syn
start_command = /sbin/iptables -A INPUT -i eth0 -s %IP% -p tcp --dport 22 -j ACCEPT
cmd_timeout = 180
stop_command = /sbin/iptables -D INPUT -i eth0 -s %IP% -p tcp --dport 22 -j ACCEPT
The sequence option is a comma separated list of port numbers that have to be "knocked" in the defined sequence to activate the rule.
The seq_timeout option defines how much time a client has to perform the knock.
The tcpflags option is beyond the scope of this howto, read the manual.
The start_command is a command to be run when this rule is triggered. It can be pretty much anything, in this case it would open port 22 in the firewall to the IP address that issued the knock.
The cmd_timeout option specifies how long the window between the start_command and the stop_command is.
And finally the stop_command is a command that is run (in this case) when cmd_timeout seconds has elapsed since the knock. Here it closes the hole in the firewall again by deleting the rule that opened it.
There are lots of other possibilities, again read the manual if you want more.
Once you are satisfied with your rules go on to the next step.
4. Edit /etc/default/knockd in your favourite editor.
Code: Select all
emacs -nw /etc/default/knockd
Code: Select all
################################################
#
# knockd's default file, for generic sys config
#
################################################
# control if we start knockd at init or not
# 1 = start
# anything else = don't start
START_KNOCKD=1
# command line options
KNOCKD_OPTS="-i eth0"
5. Make sure knockd starts at boot.
Code: Select all
update-rc.d knockd defaults
Code: Select all
/etc/init.d/knockd start
On the server with knockd installed:
Code: Select all
tail -f /var/log/knockd.log
On a client machine:
Install some kind of port knocking "client" (the knockd package comes with one).
Code: Select all
# knock <someserver.somedomain.com> <knock sequence>
# ssh/ftp <someserver.somedomain.com>