TUTORIAL Knock 3 Times: knockd

[miguel]

One question what happens adter 1 hour if the phone is still registered?

 

[miguel]

What I mean is: if one client knocks and registers makes the call and the other one has knocked and registered an hour and a half before and never unregistered can he receive a call still?

 

[miguel]

What happens after an hour?

 

[Mark D. Montgomery II]

If I remember my port knocking basics correctly (and I'm sure someone will correct me if I'm wrong) - it all depends on traffic through the opened port. As long as there is traffic through the opened port before the timeout period it will remain open, but if there's no traffic for the port timeout length it will close the port (because obviously at that point it thinks there is no longer a connection through it) and you would have to re-knock to open it back up.

 

[miguel]

Thnaks for your answer

 

[Huckda]

the command line?

 

[Huckda]

http://www.portknocking.org/view/implementations <-- that might help as well

 

[Tapiocapioca]

First, thank you to accept me

I installed a new version of piaf (yesterday) on my machine but I have a problem, the service knocd was working but after one reboot stop to work. I can't understand the reason.

watching the log in verbose mode I can see the log below, maybe can help to understand

root@pbx:~# knockd --debug --verbose
config: new section: 'options'
config: log file: /var/log/knockd.log
config: new section: 'opencloseALL'
config: opencloseALL: sequence: 1111:tcp,2222:tcp,3333:tcp
config: opencloseALL: seq_timeout: 60
config: tcp flag: SYN
config: opencloseALL: start_command: /sbin/iptables -A INPUT -s %IP% -j ACCEPT
config: opencloseALL: cmd_timeout: 3600
config: opencloseALL: stop_command: /sbin/iptables -D INPUT -s %IP% -j ACCEPT
could not open eth0: eth0: No such device exists (SIOCGIFHWADDR: No such device)

 

[Tapiocapioca]

I fixed the problem

Is enought check the name of the interface with the command

ifconfig

open the file

/etc/default/knockd

and add the line

KNOCKD_OPTS="-i p2p1"

where p2p1 is the name of the interface

 

[wardmundy]

Here is the excerpt from the original Nerd Vittles tutorial:

Server Navigation Guide. On both the RedHat/CentOS/Fedora and Ubuntu/Debian platforms, the knockd configuration is managed in /etc/knockd.conf. Before making changes, always shutdown knockd. Then make your changes. Then restart knockd. On RedHat systems, use service knockd stop and start. On Ubuntu, use /etc/init.d/knockd stop and start. By default, knockd monitors activity on eth0. If your setup is different, on Ubuntu, you’ll need to change the port in /etc/default/knockd: KNOCKD_OPTS="-i wlan0". On RedHat, the config file to modify is /etc/sysconfig/knockd and the syntax: OPTIONS="-i venet0:0".

 

[AndyInNYC]

I'm a little late to the party, but I finally installed knockd.

I'm using PBX in a Flash GREEN under Centos 6.5.

The installation didn't find the rpm, so I installed it manually without problem.

knockd is running correctly as a service and /etc/knockd.conf has 3 ports listening under TCP.

On my router, I have forwarded each of the 3 ports to the .29 address of the PBX (just as I did port 5060 and 10K-15K).

My knock is never answered, and the log file shows no entries.

I am using KnockOnD for IOS. I have tried changing the the delay from 5 to 100, 250, 500 and 1000 ms.
No change

I have tried changing from tcp to udp (and made the changes to the .conf file as well)
No change.

Is it the iOS program (KnockOnD) or is there something else I can check before I buy a program/start again?
I see the forwarding rules on the router in iptables -nL, so that, at least, is running correctly.

EDIT: bought the $.99 PortKnock program and it makes no difference.


Thoughts?

Andrew

 

[wardmundy]

Adjust the timing interval of the knocks. That matters on some server platforms.

 

[AndyInNYC]

Adjust the timing interval of the knocks. That matters on some server platforms.

I’ve adjusted the timing and the tcp/udp usage. Went as high as 1000 ms.

Log doesn’t show any attempt at connecting, but says it is listening.

Andrew

 

[Dave Gray]

First thing is, you aren't seeing the knock attempts. OK, so now, why?
You did not mention what your platform is, in some cases you don't use eth0 as the network device, and you will need to update the config to point to your main network device. An ifconfig -a should make obvious which it is, look for the one with lots of packets (that doesn't have a 127.0.0.* address).
Also might look into the router setup. You've forwarded the ports, so that *should* do it, but it'd be worth double checking.

 

[AndyInNYC]

Dave,

Thanks for the reply.

I'm using PIAF GREEN on an oid PC in the basement - it's been working well for years and has a DIgium board with hardware EC.
The machine is using eth0 as expected.

The router is running OpenWRT, albeit an old version. It's a WNDR3700 V2.

My router's iptables -nL returns, among other lines, this:

Chain nat_reflection_fwd (1 references)
target     prot opt source               destination        
ACCEPT     tcp  --  192.168.40.0/24      192.168.40.29       tcp dpt:5060 /* wan */
ACCEPT     udp  --  192.168.40.0/24      192.168.40.29       udp dpt:5060 /* wan */
ACCEPT     tcp  --  192.168.40.0/24      192.168.40.29       tcp dpts:15001:20000 /* wan */
ACCEPT     udp  --  192.168.40.0/24      192.168.40.29       udp dpts:15001:20000 /* wan */
ACCEPT     tcp  --  192.168.40.0/24      192.168.40.29       tcp dpt:9689 /* wan */
ACCEPT     udp  --  192.168.40.0/24      192.168.40.29       udp dpt:9689 /* wan */
ACCEPT     tcp  --  192.168.40.0/24      192.168.40.29       tcp dpt:8190 /* wan */
ACCEPT     udp  --  192.168.40.0/24      192.168.40.29       udp dpt:8190 /* wan */
ACCEPT     tcp  --  192.168.40.0/24      192.168.40.29       tcp dpt:6815 /* wan */
ACCEPT     udp  --  192.168.40.0/24      192.168.40.29       udp dpt:6815 /* wan */

and then, later at the bottom:

Chain zone_wan_forward (1 references)
target     prot opt source               destination        
ACCEPT     tcp  --  0.0.0.0/0            192.168.40.29       tcp dpt:5060
ACCEPT     udp  --  0.0.0.0/0            192.168.40.29       udp dpt:5060
ACCEPT     tcp  --  0.0.0.0/0            192.168.40.29       tcp dpts:15001:20000
ACCEPT     udp  --  0.0.0.0/0            192.168.40.29       udp dpts:15001:20000
ACCEPT     tcp  --  0.0.0.0/0            192.168.40.29       tcp dpt:9689
ACCEPT     udp  --  0.0.0.0/0            192.168.40.29       udp dpt:9689
ACCEPT     tcp  --  0.0.0.0/0            192.168.40.29       tcp dpt:8190
ACCEPT     udp  --  0.0.0.0/0            192.168.40.29       udp dpt:8190
ACCEPT     tcp  --  0.0.0.0/0            192.168.40.29       tcp dpt:6815
ACCEPT     udp  --  0.0.0.0/0            192.168.40.29       udp dpt:6815

(I'll change the ports later when this works)

My knockd.conf file reads:

[options]
       logfile = /var/log/knockd.log
[opencloseALL]
        sequence      = 9689:udp,8190:udp,6815:udp
        seq_timeout   = 15
        tcpflags      = syn
        start_command = /sbin/iptables -A INPUT -s %IP% -j ACCEPT
        cmd_timeout   = 3600
        stop_command  = /sbin/iptables -D INPUT -s %IP% -j ACCEPT

What else should I look for/change?


Andrew

 

[AndyInNYC]

Still no knock.

Looking at iptables -nL, I would have expected to see rules for each of the 3 ports being forwarded from my router. They aren't there, and the install program doesn't seem to put them there.

If my travellin man drops all unknown IPs, how are the 3 port knocks supposed to get through the firewall?

I'm grasping for straws, but I feel as though I must be doing something wrong. I know that port forwarding works, or else I wouldn't be able to get the ports from the router to the PBX (duh!) so I think the port forward must be right. Therefore it should be something in the knockd setup.

I ran tcpdump port A or port B or port C (the 3 knock ports) and there wasn't any activity shown. My router doesn't have tcpdump, so I can't see what's happening there.

Help?

Andrew

 

[AndyInNYC]

And even more follow up.

I installed tcpdump on my router (who knew?).

If I'm using my phone on wi-fi on my home network, the port knocking will work (ie it shows up in tcpdump).

If I disable wifi and force my phone to knock via cellular and my DDNS address (or the IP plugged into the app directly), the router never sees the port knocking.

So, I'm not sure why the app won't hit my router. Thoughts?

 

[MGD4me]

If I'm using my phone on wi-fi on my home network, the port knocking will work (ie it shows up in tcpdump).

You were probably connecting directly to your PBX LAN IP address, perhaps? What if you connect to the public IP address?

 

[AndyInNYC]

MGD4me,

Thanks for responding. On the local network, I pinged the router (nmap) and the PBX got the port knock.

With wifi disabled, I pinged the dynamic DNS as well as the direct IP of the router (my public IP in both cases) and . . . nothing.

I'm on FIOS gigabit - but I can't imagine that has anything to do with anything.

Andrew

 

[AndyInNYC]

Almost there.

My port is now knocking


For anyone with the same problem, the solution was that I have a FIOS router in bridge mode in front of my personal router. I had to forward, not only from 'my' router to the PBX, but also from the FIOS router TO my router.

So now, when I port knock, my PBX now shows the IP of my cell phone in iptables. A win!

My FIOS and personal router are forwarding 5060, 150001-20000 and the knock ports to the PBX.

My Zoiper app, however, fails to register.

The knock, however, doesn't change anything on my personal router.

Do I need to forward any other ports from the FIOS router/my router to the PBX to get external phones to register?

I'm getting a 'Registration Timeout(408)' as my Zoiper error message. In asterisk -vvvvvr, I don't see any activity of the phone trying to register.

My SIP Settings are:

NAT = Yes
IP config is Dynamic
Dynamic Host is my DDNS address
local networks are my 192.168.40.0 and 10.0.0

Any other info needed?

Andrew