Port-tapping is a way to secure a server by closing firewall ports ̵
The knocking of ports is a "secret knock".
In the 1920s, when the ban was in full swing, if you wanted it In a Speakeasy, you had to know the secret knocking and really knock it out to get in.
Port palpation is a modern equivalent. If you want users to have access to services on your computer but can not open their firewall for the Internet, you can use port-knocking. Lets you close the ports in your firewall that allow inbound connections and have them open automatically when a predetermined pattern of connection attempts is made. The order of the connection attempts works like the secret knock. Another secret knock closes the harbor.
The knocking of the port is a novelty, but it is important to know that it is an example of security through unfamiliarity, and this concept is fundamentally flawed. The secret of how to access a system is certain, as it only knows the members of a particular group. But once this mystery is revealed – either because it's revealed, observed, guessed or clarified – your security is void. You should better secure your server in other, stronger ways, such as: For example, by using key-based sign-in for an SSH server.
The most robust approaches to cyber security are multi-layered. Therefore, port knocking may be one of these levels. The more layers, the better, right? However, you could argue that port knocking does not contribute much (if any) to a properly hardened, secure system.
Cybersecurity is a large and complicated issue, but you should not use port-knocking as your only form of defense.
RELATED: Creating and installing SSH keys through the Linux shell
To demonstrate the knocking of ports, port 22 is controlled by the SSH port. We will use a tool called knockd. Use
apt-get to install this package on your system if you are using Ubuntu or any other Debian-based distribution. Instead, use the package management tool of your Linux distribution on other Linux distributions.
sudo apt-get install knockd
The iptables firewall is probably already installed on your computer, but you may need to unpack the package
install. It covers automatic loading of saved
Enter the following to install it:
sudo apt-get install iptables-persistent
During IPV4 Configuration When the screen is displayed, press the spacebar to to accept the option "yes".
Press the space bar in the IPv6 configuration screen again to accept the "Yes" option and continue.
. The following command instructs
iptables to allow the continuation of existing and running connections. We now issue another command to close the SSH port.
If this command is linked to someone via SSH, this command should not be truncated:
sudo iptables -A INPUT -m conntrack -ctstate ESTABLISHED, RELATED -j ACCEPT
This command adds a rule to the firewall that reads:
- -A Attach the rule to the firewall rules table. In other words, add it below.
- INPUT : This is a rule for inbound connections.
- -m conntrack : Firewall rules affect network traffic (packets), which generally meets the criteria. The parameter
iptablesto use additional packet comparison modules. In this case, the one referred to as
conntrackworks with the kernel's network connection tracking functions.
- -cstate ESTABLISHED, RELATED : Specifies the connection type to which the rule applies, namely ESTABLISHED and RELATED connections. An existing connection is already in progress. A related connection is a connection that was created by an action from an established connection. Maybe someone who is connected wants to download a file. This can be done over a new connection initiated by the host.
- -j ACCEPT : If the traffic is the rule, jump to the ACCEPT target in the firewall. In other words, the traffic is accepted and allowed to pass through the firewall.
Now we can issue the command to close the port:
sudo iptables -A INPUT -p tcp --dport 22 -j REJECT
This command adds a rule to the firewall , which states:
- -A : Append the rule to the firewall rules table, ie add them below.
- INPUT : This rule is an inbound connection.
- -p tcp : This rule applies to traffic using the Transmission Control Protocol.
- -dport 22 : This rule applies specifically to TCP traffic, the destination port 22 (the SSH port).
- -j REJECT : If the traffic matches the rule, jump to the REJECT target in the firewall. If the traffic is denied, it is not allowed through the firewall.
We need to start the
netfilter-persistent daemon. We can do this with the following command:
sudo systemctl start netfilter-persistent
netfilter-persistent to cycle through a memory and a load cycle
] iptable rules.
Enter the following commands:
sudo netfilter-persistent save
sudo netfilter-persistent reload
You now have the utilities installed and the SSH port is closed (hopefully without the connection to end). Now it's time to configure the secret knock.
You can edit two files to configure
Tapping. The first is the following
knockdconfiguration file:sudo gedit /etc/knockd.conf[19659097[19459031[19659006[The
gediteditor opens with the
knockdConfiguration file loaded.
This file will be edited as needed. The sections we are interested in are "openSSH" and "closeSSH". The following four entries are in each section:
- sequence : The order of the ports someone must access to open or close port 22 There are 7000, 8000, and 9000 to open it, and 9000, 8000, and 7000 to close it. You can change these or add more ports to the list. For our purposes we stick to the default values.
- seq_timeout : The amount of time someone must access the ports to initiate the opening or closing.  Command : The sent command to the firewall of
iptableswhen the open or close action fires. These commands either add a rule to the firewall (to open the port) or remove it (to close the port).
- tcpflags : The type of packet each port must receive in secret order. A SYN packet (synchronization packet) is the first in a TCP connection request called a three-way handshake.
The "openSSH" section can be read because a TCP connection request must be made to ports 7000, 8000, and 9000 - in that order and within 5 seconds - to allow the command to open port 22 to the firewall is sent.
The section "closeSSH" can be read as "TCP connection request to ports 9000, 8000". and 7000, in that order and within 5 seconds, to send the port 22 close command to the firewall. "
The Firewall Rules
The" Command "entries in the openSSH and closeSSH sections remain unchanged. with the exception of one parameter. How to Assemble:
- -A Attach the rule to the end of the firewall rules list (for the openSSH command).
- -D : Delete the command from the firewall rules list (for the closeSSH command).
- INPUT : This rule applies to incoming network traffic.
- -s% IP% : The IP address of the device requesting a connection.
- -p : network protocol; In this case it is TCP.
- -dport : The destination port. In our example, it is port 22.
- -j ACCEPT : Jump to the accepted destination in the firewall. In other words, let the package go through the rest of the rules without affecting it.
The changes in the configuration file
The changes we make to the file are highlighted in red below:
We extend the "seq_timeout" to 15 seconds. This is generous, but if someone manually initiates connection requests, they may need so much time.
In the section "openSSH" we change the option
-A (Append) in the command in
-I (insert). This command inserts a new firewall rule at the top of the firewall rule list. If you leave the option
-A the firewall rule list is appended to and dropped at end .
Inbound traffic is tested from top to bottom by any firewall rule. We already have a rule that closes Port 22. If inbound traffic is tested against this rule before the rule that allows traffic is displayed, the connection is rejected. If this new rule appears first, the connection is allowed.
The close command removes the rule added by openSSH from the firewall rules. The SSH traffic is again handled by the existing rule "Port 22 is closed".
Save the configuration file after these changes.
RELATED: How to Edit Text Files Graphically on Linux with gedit
The Tapped Control File Works
The tapped control file
is altogether simpler. However, before we can handle this, we need to know the internal name for our network connection. Type the following command to find it:
The link this computer is looking for under this article is called
enp0s3 . Write down the name of your connection.
The following command handles the control file
sudo gedit / etc / default / knockd
knockd file in
The few changes we need to make are highlighted in red: 
We changed the entry "START_KNOCKD =" from 0 to 1.
We also removed the hash.
# from the beginning of the entry "KNOCKD_OPTS =" and replaced "eth1" with the name of our network connection,
enp0s3 . Of course, if your network connection is
eth1 you will not change it.
The proof is in the pudding
It is time to see if this works. We start the daemon
knockd with the following command:
sudo systemctrl start knockd
Now we jump on another computer and try to establish a connection. We also installed the tool
knockd on this computer, not because we want to set up port-knocking, but because the package
knockd provides another tool called
knock . We will use this system to trigger our secret sequence and do the knocking for us.
Use the following command to send your secret sequence of connection requests to the ports of the host computer with the IP address 192.168.4.24:
taps 192.168.4.24 7000 8000 9000 -d 500
This will cause
taps to direct the computer to IP address 192.168.4.24 and initiate a connection request to ports 7000, 8000, and 9000. again with a
-d (delay) of 500 milliseconds in between.
A user named "dave" then sends an SSH request 192.168.4.24:[19659015lightboxsshdave@192168424
Your connection is accepted, he enters his password and his remote session begins. His command prompt changes from
dave @ nostromo to
dave @ howtogeek . To log out of the remote computer, enter:
The command prompt returns to its local computer. It uses again
knock and this time the ports are driven in reverse order to close the SSH port on the remote computer.
knock 192.168.4.24 9000 8000 7000 -d 500
While this was not a particularly fruitful remote session, it does show opening and closing the port via port palpation and fits into a single screenshot.
How did that look from the other side? The system administrator on the host on which the port is being tapped uses the following command to display new entries in the system log:
tail -f / var / log / syslog
- You see three openSSH entries. These are triggered when each port is addressed by the Remote Knock utility.
- If all three stages of the trigger sequence are met, the entry "OPEN SESAME" is logged.
- The command to insert the rule in the
iptablesrule list is sent. It allows access via SSH on port 22 from the specific IP address of the PC that caused the proper secret knock (192.168.4.23).
- The dave user connects for only a few seconds and then disconnects.
- You will see three closeSSH entries. These are triggered when each port is targeted by the Remote Knock utility. It tells the host to close port 22.
- After all three levels have been triggered, the message "OPEN SESAME" is displayed again. The command is sent to the firewall to remove the rule. (Why not "close SESAME" when the port is closed, who knows?)
The only rule in the
iptables rule list for port 22 is the one we typed in at the beginning Close port. So Port 22 is now closed again.
Blow on the head
This is the salon trick where the port knocks. Treat it as a distraction and do not do it in the real world. Or, if you must, do not rely on it as your only form of security.