Port Knocker for Ubuntu
UPDATE: Nerd Vittles tutorial now available here.
This is an add-on to let you open one or more server ports on the fly for remote access using your smartphone, tablet, or computer to send 3 knocks to random ports. If the "knocks" are sent to the proper ports in the correct order, this triggers Port Knocker to modify IPtables for your IP address, and you gain access to the ports specified for a certain period of time or until a series of knocks closes the port(s).
Begin your adventure by
reading this post. The original post was for RedHat/CentOS so the Ubuntu install is a little different. Nerd Vittles tutorial coming shortly.
NOTE: This is already set up in the latest Incredible PBX for Ubuntu builds. Just write down your secret port knocking sequence when the install is finished. Your knock credentials also are saved in
/root/knock.FAQ. As configured, successful knocks get you an hour of access to all ports on your server from your current IP address. You can send the codes in several ways. From a remote location, if your cellphone is on WiFi and shares the same public IP address as one or more computers on the same WiFi network, then use the smartphone app for iOS or Android to send the "knocks" to your server. For
iPhones (PortKnock is $0.99) and for
Android devices (PortKnocker is free).
You could also send the knocks with the
nmap utility from any computer with
nmap. The sequence you would send looks like this using the 3 ports provided (8683, 6304, 7371 in example) AND your server's (public) IP address (123.4.5.67 in example). These were provided when your install completed. Also saved in
/root/knock.FAQ.
Code:
nmap -p 8683 123.4.5.67 && nmap -p 6304 123.4.5.67 && nmap -p 7371 123.4.5.67
Once the door is opened, you can log in from any computer with the same public IP address. You could also make SIP calls, etc. The door stays open for ONE HOUR as configured! Use
/root/add-ip to create a more permanent IPtables rule. Or modify the time limit (
cmd_timeout) as outlined below.
IMPORTANT: If your server is sitting behind a hardware-based firewall, you
must map the 3 TCP ports from your hardware firewall to the private IP address of your server!
WARNING: Be very careful with your Port Knocker credentials. Anybody that obtains the sequence basically gets access to attack your server just as if they were sitting at a login prompt for your server. They still need your passwords, but it's one step closer to a compromised server. So treat the port sequence just like a password. It is!
To manually install on previous installations...
First, you'll need to know whether you're running 32-bit or 64-bit OS. Then, log in as root and...
Code:
cd /root
apt-get install libpcap* -y
# for 32-bit, enable the next line by removing #
# wget http://ftp.us.debian.org/debian/pool/main/k/knockd/knockd_0.5-3_i386.deb
# for 64-bit, enable the next line by removing #
# wget http://ftp.us.debian.org/debian/pool/main/k/knockd/knockd_0.5-3_amd64.deb
dpkg -i knockd*
nano -w /etc/knockd.conf
# Make your config look like what's shown in the knockd.conf example below
# But make up 3 magic numbers of your choice and choose tcp, udp as desired
# Save the file after making your changes: Ctrl-X, Y, then Enter
nano -w /etc/default/knockd
# change START_KNOCKD=0 to START_KNOCKD=1 and save file
# above file is /etc/sysconfig/knockd on RedHat/CentOS systems
# if using wlan0 wireless interface instead of eth0, add: KNOCKD_OPTS="-i wlan0"
/etc/init.d/knockd start
knockd.conf should look like the following example.
Be sure to substitute your 3 magic numbers for 2, 4, and 6!! You can mix and match tcp and udp as desired. The setup below keeps SSH port 22 open for 1 hour (3600 seconds) on the IP address of any successful knock (15-second timeout on the sequence) using one of the knock clients from the
dev web site.
Remember to map the three ports to your server from your firewall if it's behind a hardware-based firewall. Otherwise, you do NOT have to open any ports in IPtables for this to work.
Code:
[options]
logfile = /var/log/knockd.log
[opencloseSSH]
sequence = 2:udp,4:tcp,6:udp
seq_timeout = 15
tcpflags = syn,ack
start_command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport ssh -j ACCEPT
cmd_timeout = 3600
stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport ssh -j ACCEPT
You can review your successes and failures and automatic port closings in
/var/log/knockd.log.
NOTE: Always turn off knockd before making changes in your configuration. Then start it again.
Code:
/etc/init.d/knockd stop
nano -w /etc/knockd.conf
/etc/init.d/knockd start
Once you get the hang of it, there are lots of magic tricks you can perform with the start_command and stop_command. For example, if you wanted to open up full access to your server for a specific IP address after a successful knock, substitute the following in
/etc/knockd.conf:
Code:
[opencloseSSH]
sequence = 2:udp,4:tcp,6:udp
seq_timeout = 15
tcpflags = syn,ack
start_command = /sbin/iptables -A INPUT -s %IP% -j ACCEPT
cmd_timeout = 3600
stop_command = /sbin/iptables -D INPUT -s %IP% -j ACCEPT
Or you could just open up SIP access (e.g. for remote users) by changing:
Code:
/sbin/iptables -A INPUT -s %IP% -p tcp --dport ssh -j ACCEPT
to:
Code:
/sbin/iptables -A INPUT -s %IP% -p udp --dport 5060:5069 -j ACCEPT