How to Hide Application Port Using knockd in Linux

<div dir="ltr" style="text-align: left;" trbidi="on"> <h1 class="post-title single" style="background-color: white; margin: 0px 0px 5px; padding: 0px;"> <span style="color: red; font-size: large;"><u><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="letter-spacing: -1px; line-height: 1.2em;">Hide </span><span style="letter-spacing: -1px; line-height: 38.4px;">Application</span><span style="letter-spacing: -1px; line-height: 1.2em;"> Port Using knockd in Linux</span></span></u></span></h1> <div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> As a system administrator, we should do everything to secure our server from attackers. As the internet grows, threats to our server is also growing. One of the popular entrances to attack our server is through the port on your server that open. If your SSH server is running on </div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipoEw0Znm4kJkLvWo3mEqOj2QT8IMXelfxBtu4l68eChcU2zg0JxuRSX6HX5DyInhphW5j6Gt_TLna7VAj6kJZUUEhhGezwORQDYdtPON2FFzdQ5U3AsN1aQmEYKCSBrMR3k5HXyvk9_Qk/s1600/knock_www.hackthesec.co.in.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipoEw0Znm4kJkLvWo3mEqOj2QT8IMXelfxBtu4l68eChcU2zg0JxuRSX6HX5DyInhphW5j6Gt_TLna7VAj6kJZUUEhhGezwORQDYdtPON2FFzdQ5U3AsN1aQmEYKCSBrMR3k5HXyvk9_Qk/s1600/knock_www.hackthesec.co.in.jpg" /></a></div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> <br /></div> your machine, then usually the SSH port is listening. Which means it is open, waiting for the connection.<br /> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> Leaving the port open for 24 hours, is not recommended because it is vulnerable. Because we can scan the machine to see the open port. <strong>Nmap</strong> is one of the most popular port scanner that can be used by anyone to scan your machine.</div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDf3M4nS_qiN_gLL-2-uLTQvMz86c_K8ceCCxtdRLLJw_6Yqznfc6cT1_3jxdmZ0Ab6lOrgHFaQvtI1iE3C50YrkrFnHHGS8Z-8cwgZG6KtRZLa76vYLeBJdpsiy8wYZyeFtlZxzHeOeh5/s1600/nmap_www.hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDf3M4nS_qiN_gLL-2-uLTQvMz86c_K8ceCCxtdRLLJw_6Yqznfc6cT1_3jxdmZ0Ab6lOrgHFaQvtI1iE3C50YrkrFnHHGS8Z-8cwgZG6KtRZLa76vYLeBJdpsiy8wYZyeFtlZxzHeOeh5/s1600/nmap_www.hackthesec.co.in.png" /></a></div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> <br /> How if we can open the on demand and close the port when it’s not used? Sounds interesting. Now we can do it using knockd application.</div> <h1 style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 20pt; letter-spacing: -1px; line-height: 1.2em; margin: 0px 0px 15px; padding: 0px;"> <span style="color: #0b5394;"><u>What is knockd</u></span></h1> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> Knockd is a port-knock server. It listens to all traffice on an ethernet (or PPP) interface, looking for special “knock” sequences of port-hits. (Source : <a href="http://www.zeroflux.org/projects/knock" style="outline: none; text-decoration: none;" title="knockd">http://www.zeroflux.org/projects/knock</a>)</div> <h1 style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 20pt; letter-spacing: -1px; line-height: 1.2em; margin: 0px 0px 15px; padding: 0px;"> <u><span style="color: #0b5394;">How it works</span></u></h1> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> Every application needs a port as a “door” for “listening” requests from other clients. This port usually on open state or close state. There are a lot of ports that available on the server. But there are some ports that agreed by consensus, such as <a href="http://www.hackthesec.co.in/search/label/SSH" target="_blank">SSH </a>(22), Web (80) and <a href="http://www.hackthesec.co.in/search/label/ftp" target="_blank">FTP </a>(21).</div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> A basic rule of server security is to open only used ports and close the rest. You may have some ports that are sometimes used and sometimes not. Leaving those ports open while is not being used is not recommended.</div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> When you install knockd, you can let the client “knock” the server with pattern. The knocking sequence can be custom by you. So this knocking pattern will be unique to each other. If the pattern is match, then the port you need will be opened for a period of time and the request can enter your server.</div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> Once you have done with the application, you can close the port manually or automatically.</div> <h1 style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 20pt; letter-spacing: -1px; line-height: 1.2em; margin: 0px 0px 15px; padding: 0px;"> <span style="color: #0b5394;"><u>How to install knockd</u></span></h1> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> On this article, we are using Zorin 9 OS which based on Ubuntu 14.04 LTS. If you are using another distribution please adjust it to the installation method of your distribution.</div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> Knockd is available on Ubuntu repository. Then we can use <b>apt-get to install knockd</b>.</div> <pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-size: small;"><span style="font-size: large; line-height: 15.6px;"><span style="color: white;">$ sudo </span><span style="color: lime;">apt-get</span><span style="color: white;"> install </span><span style="color: lime;">knockd</span></span></span></pre> <div style="background-color: white; font-family: arial, helvetica, sans-serif; line-height: 21px; margin-bottom: 15px;"> Just wait for a few minutes, then your knockd is already setup.</div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhA67oGT2cT3lLU_cFpxIgca4LBVCdVr35XzzSgoIRxGdboOfQCTdcP3vYAiEZvaFnrPajh3-0WnqGFMQY4c86NPudth9QaKHs2zif51Qlo_htuKkY9SOQnXH2iBwESzXzypeYGDUSHOhum/s1600/install_knockd_hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhA67oGT2cT3lLU_cFpxIgca4LBVCdVr35XzzSgoIRxGdboOfQCTdcP3vYAiEZvaFnrPajh3-0WnqGFMQY4c86NPudth9QaKHs2zif51Qlo_htuKkY9SOQnXH2iBwESzXzypeYGDUSHOhum/s1600/install_knockd_hackthesec.co.in.png" /></a></div> <h1 style="background-color: white; color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: 20pt; letter-spacing: -1px; line-height: 1.2em; margin: 0px 0px 15px; padding: 0px;"> </h1> <h1 style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 20pt; letter-spacing: -1px; line-height: 1.2em; margin: 0px 0px 15px; padding: 0px;"> <span style="color: #0b5394;"><u>Configure knockd</u></span></h1> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> Knock configuration file is located in <strong>/etc/knockd.conf</strong><br /> The sample configuration is simple and easy to understand.</div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQSIXg_eYyfRDU_WaXIrcGU0pLzfl4tBOf3YBmLKklE4cV-rJblSvH6DpxO1B0odRgIit6TbE4hSPCnZy0el2QZqri_jvPkn86SritsHJCwGMF-FOu0Tk-MQ3pJpvs9aXLd0TsE1Nk0Qtz/s1600/conf_www.hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQSIXg_eYyfRDU_WaXIrcGU0pLzfl4tBOf3YBmLKklE4cV-rJblSvH6DpxO1B0odRgIit6TbE4hSPCnZy0el2QZqri_jvPkn86SritsHJCwGMF-FOu0Tk-MQ3pJpvs9aXLd0TsE1Nk0Qtz/s640/conf_www.hackthesec.co.in.png" width="640" /></a></div> <div style="background-color: white; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> <br /></div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> We can see that the configuration is divided into three sections. The <strong>[options]</strong> section, <strong>[openSSH]</strong> section to open SSH port and <strong>[closeSSH]</strong> section to close SSH port.</div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> By default <strong>[options]</strong> section contain only 1 row. It tell us that the knockd log will be recorded using the operating system log application. On Ubuntu, we will see the log in <strong>/var/log/syslog</strong>; folder.</div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> Of course we can choose not to use SysLog. We can change it into this line, if we want to use custom log.</div> <pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-size: small;"><span style="font-size: large; line-height: 15.6px;"><span style="color: white;">logfile = /var/log/</span><span style="color: lime;">knockd.log</span></span></span></pre> <div style="background-color: white; font-family: arial, helvetica, sans-serif; line-height: 21px; margin-bottom: 15px;"> The above line, will put knock log file in <strong>/var/log/knockd.log</strong></div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> [openSSH] sections has identical commands with [closeSSH] section.</div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> <strong>sequence = 1200,1300,1400</strong><br /> This is the knock pattern. It will trigger the command below in the section. The value of this parameter is fully customized. We can choose another random number.</div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> <strong>seq_timeout = 10</strong><br /> This will tell knockd about how long the knock pattern must be completed in.</div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> <strong>command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT</strong><br /> This parameter will open SSH port on port 22</div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> <strong>tcpflags = syn</strong><br /> This parameter indicates that the Client will sends a TCP SYNchronize packet to the server</div> <h1 style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 20pt; letter-spacing: -1px; line-height: 1.2em; margin: 0px 0px 15px; padding: 0px;"> <span style="color: #0b5394;"><u>Setting up the firewall</u></span></h1> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> As we know before, knockd will open particular port temporarily. So we have to make sure firewall is running on the server. Basically, we will close all ports. We are using iptables syntax to do it. Here are the steps.</div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiP22SstqKcmmXGUdAtWGPbAADZdLIb93deXYAOSeoJhmj_AIQF7ELkMKvr4gB0cePwYjv78nWYOcFtSD8ypVOTF8hIJciPTIUH0BdgB9iNAdhHPwhvoMAJffuQBRpe6LAyyJ5xFIX6qRG0/s1600/iptables_conf_www.hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiP22SstqKcmmXGUdAtWGPbAADZdLIb93deXYAOSeoJhmj_AIQF7ELkMKvr4gB0cePwYjv78nWYOcFtSD8ypVOTF8hIJciPTIUH0BdgB9iNAdhHPwhvoMAJffuQBRpe6LAyyJ5xFIX6qRG0/s1600/iptables_conf_www.hackthesec.co.in.png" /></a></div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> <br /> The 1st command, will allow the current on-going session through firewall.<br /> The 2nd command, will allow the server is able to ping by another machine.<br /> The 3rd command, will reject every requests.</div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> To test the knockd service, we expect that our will firewall will drop all ssh connection. Then knockd will open it temporarily on demand.</div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjnKpk2fjUFq33I5yQZT9xAlOYCOoljrCBnLYps4L_UevHYclPvJZ4X_PHe1bCjJx4qGncTeTVRwbG7w21widalzYR-AnZkWHZ3bKv8LN3mQAt7a6x4n2dXO1Pplg2qkerE7_KBoL1PCUI/s1600/ip_tables_www.hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjnKpk2fjUFq33I5yQZT9xAlOYCOoljrCBnLYps4L_UevHYclPvJZ4X_PHe1bCjJx4qGncTeTVRwbG7w21widalzYR-AnZkWHZ3bKv8LN3mQAt7a6x4n2dXO1Pplg2qkerE7_KBoL1PCUI/s1600/ip_tables_www.hackthesec.co.in.png" /></a></div> <h1 style="background-color: white; color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: 20pt; letter-spacing: -1px; line-height: 1.2em; margin: 0px 0px 15px; padding: 0px;"> </h1> <h1 style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 20pt; letter-spacing: -1px; line-height: 1.2em; margin: 0px 0px 15px; padding: 0px;"> <span style="color: #0b5394;"><u>Test the knockd on server side</u></span></h1> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> Once the firewall and knockd are setup, next we can test them.<br /> To test the firewall, try remote the server via SSH from another machine. (<em>on this article, client IP is 10.1.6.14 and server IP 10.0.76.224</em>)</div> <pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-size: small;"><span style="font-size: large; line-height: 15.6px;"><span style="color: white;">$ ssh -l </span><span style="color: lime;">pungki </span><span style="color: white;">10.0.76.224</span></span></span></pre> <div style="background-color: white; font-family: arial, helvetica, sans-serif; line-height: 21px; margin-bottom: 15px;"> With :<br /> <div style="font-size: 14px;"> <strong>-l</strong> = login name</div> <div style="font-size: 14px;"> <strong>pungki</strong> = the user name on the destination server</div> </div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> If the firewall works, then we will get <strong>“Connection refused”</strong> error message.</div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfRafJqFuFGUE3uaD6U5pfEqKmV8CwgJAc_b6-XdxHSaAoThuavWut-Q8G8Tm590Evw3g9mQkxHS9Zer5iE6Mme7HRMnyKw9fLpuObT6APc5xAgHKO44mQERwZwVKov6nZ-9RU0t_BL04u/s1600/connection_refused_www.hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfRafJqFuFGUE3uaD6U5pfEqKmV8CwgJAc_b6-XdxHSaAoThuavWut-Q8G8Tm590Evw3g9mQkxHS9Zer5iE6Mme7HRMnyKw9fLpuObT6APc5xAgHKO44mQERwZwVKov6nZ-9RU0t_BL04u/s1600/connection_refused_www.hackthesec.co.in.png" /></a></div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> The reason we get the error message is the 10.1.6.14 is not allowed to enter the server. If we use this command, we will see no result.</div> <pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-size: small;"><span style="font-size: large; line-height: 15.6px;"><span style="color: white;">$ </span><span style="color: lime;">sudo /sbin/iptables -L</span><span style="color: white;"> -n |grep 10.1.6.14</span></span></span></pre> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlW_3AQMtYbLz_q36ogYB6i0YJjh4ge86K41UwVbalkoKmgBrhnHVhob46hi21H8dr7xaHH_b1G4gc3LK4fwoWEYVtbPg6LhccN3CDsm2CxXbxQJT3HCRSYXNN36U9COiy7LuHd9-2wmmC/s1600/iptables_before_knock_www.hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlW_3AQMtYbLz_q36ogYB6i0YJjh4ge86K41UwVbalkoKmgBrhnHVhob46hi21H8dr7xaHH_b1G4gc3LK4fwoWEYVtbPg6LhccN3CDsm2CxXbxQJT3HCRSYXNN36U9COiy7LuHd9-2wmmC/s1600/iptables_before_knock_www.hackthesec.co.in.png" /></a></div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> Later, we will see the difference after knockd implemented.</div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> Next step, is to test the knockd service.</div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> To run knockd, we need to change knockd default file which located in /etc/default/knockd. Change the value of <strong>START_KNOCKD parameter from 0 to 1</strong>.</div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaZe0IJykHyWEfqgWsgqhoIjObun1UVhtKQaU8RUIYT6aK8Bf6Y0TVRZgvWb1oYiLvL2oMsJq0UJYuFczFGTS83J7Z-zJqdSX5VvoRNYTCfkCNoOFfVhU5m7dTzPWSKiNZij9_HvXRUjhT/s1600/default_knockd_www.hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaZe0IJykHyWEfqgWsgqhoIjObun1UVhtKQaU8RUIYT6aK8Bf6Y0TVRZgvWb1oYiLvL2oMsJq0UJYuFczFGTS83J7Z-zJqdSX5VvoRNYTCfkCNoOFfVhU5m7dTzPWSKiNZij9_HvXRUjhT/s1600/default_knockd_www.hackthesec.co.in.png" /></a></div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> Save the file. Then type :</div> <pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-size: small;"><span style="font-size: large; line-height: 15.6px;"><span style="color: white;">$ sudo </span><span style="color: lime;">service knockd</span><span style="color: white;"> start</span></span></span></pre> <div style="background-color: white; font-family: arial, helvetica, sans-serif; line-height: 21px; margin-bottom: 15px;"> *<em>note : I tried to run the service using /etc/init.d/knockd start , but it always fail to start</em></div> <h1 style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 20pt; letter-spacing: -1px; line-height: 1.2em; margin: 0px 0px 15px; padding: 0px;"> <span style="color: #0b5394;"><u>Test knockd from Client side</u></span></h1> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> On the client side, we need knock client to “knock” the server. On the client side, we use Centos 5.2. Then we install knock-client from <a href="http://pkgs.repoforge.org/knock/knock-0.5.3.el5.rf.i386.rpm" style="outline: none; text-decoration: none;" title="knock client">http://pkgs.repoforge.org/knock/knock-0.5.3.el5.rf.i386.rpm</a></div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> Then run the command below to knock the server :</div> <pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-size: small;"><span style="font-size: large; line-height: 15.6px;">$ knock -v 10.0.76.224 1200 1300 1400</span></span></pre> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiT-KXni4C1INDyp91QdgH7yvG91kZqKOEcYMcWhZdz5fsUlTNUldddqAee8sHvviRBFJBgYewr2odXHyNyXjcTQ_5-bCUELvpd05hsNe0CItVvTYgegGHi5rhxYso1PmqIB7Mnxcn_nBYI/s1600/knock_open_www.hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiT-KXni4C1INDyp91QdgH7yvG91kZqKOEcYMcWhZdz5fsUlTNUldddqAee8sHvviRBFJBgYewr2odXHyNyXjcTQ_5-bCUELvpd05hsNe0CItVvTYgegGHi5rhxYso1PmqIB7Mnxcn_nBYI/s1600/knock_open_www.hackthesec.co.in.png" /></a></div> <div style="background-color: white; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> <br /></div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> <strong>-v</strong> = verbose<br /> <strong>10.0.76.224</strong> = Server IP<br /> <strong>1200 1300 1400</strong> = knock sequence which defined in the knockd configuration</div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> After knock the server, now we will see that the client IP is now allowed to enter the server.</div> <pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-size: small;"><span style="font-size: large; line-height: 15.6px;"><span style="color: white;">$ sudo /sbin/</span><span style="color: lime;">iptables </span><span style="color: white;">-L -n |grep 10.1.6.14</span></span></span></pre> <div style="background-color: white; font-family: arial, helvetica, sans-serif; line-height: 21px; margin-bottom: 15px;"> Then we can run SSH to remote the server.</div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjINYEuu7LmyDs7fvdRsVd38bC5K8Z15OTpi7ZNei7wNDzoWW4jSmV9023OiY4aI0ZfDP5XMeFreENSehDFjnRlBCHQCJjj-hoa-5vx_Bk51mmIEIJYJMT5E9phhW3X_GL67zhkaYP9UPtZ/s1600/ssh_success_after_knock_1_www.hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjINYEuu7LmyDs7fvdRsVd38bC5K8Z15OTpi7ZNei7wNDzoWW4jSmV9023OiY4aI0ZfDP5XMeFreENSehDFjnRlBCHQCJjj-hoa-5vx_Bk51mmIEIJYJMT5E9phhW3X_GL67zhkaYP9UPtZ/s1600/ssh_success_after_knock_1_www.hackthesec.co.in.png" /></a></div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> As we can see on the above image, the host name of are different. After SSH to the remote machine established then the host name is changed from @web01 into @dev-machine.</div> <h1 style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 20pt; letter-spacing: -1px; line-height: 1.2em; margin: 0px 0px 15px; padding: 0px;"> <span style="color: #0b5394;"><u>Close the port</u></span></h1> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> After the client done to remote the server, the client need to close the port. To do that, we can use the command below :</div> <pre style="background: none 0px 0px repeat scroll rgb(60, 60, 60); border-radius: 4px; border: 1px solid rgb(229, 229, 229); margin-bottom: 20px; outline: 0px; overflow: auto; padding: 20px; vertical-align: baseline;"><span style="color: white; font-size: small;"><span style="font-size: large; line-height: 15.6px;"><span style="color: white;">$ </span><span style="color: lime;">knock </span><span style="color: white;">-v 10.0.76.224 1400 1300 1200</span></span></span></pre> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjseKC2KePBKaJufOpIsrsJfwjiU8L08ZMVOMFPEEGBsIcRr-pUpfbtcDurAkGDY-0XYN_hGxf1JUPlAnPg7hF4wVCI7dG1q3-nnq6sWwkUN_a8IKq3OG3nibdSX93H5a_QdfGOrQILERhP/s1600/knock_close_www.hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjseKC2KePBKaJufOpIsrsJfwjiU8L08ZMVOMFPEEGBsIcRr-pUpfbtcDurAkGDY-0XYN_hGxf1JUPlAnPg7hF4wVCI7dG1q3-nnq6sWwkUN_a8IKq3OG3nibdSX93H5a_QdfGOrQILERhP/s1600/knock_close_www.hackthesec.co.in.png" /></a></div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> <em><strong>Please be careful</strong>, to close the port, we put the knock sequence in the opposite order.</em></div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> After knock the server, we will see a prompt again. To check if the knock was success, we use iptables command again. If it was success, we will see that IP 10.1.6.14 will disappeared.</div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg10Hwu4L6yAHomwQ2jSZ3ZCHYjJfWKC431IPW1b-qU2qyrUw3WGasrdHXFk5gvu0rfzXlobAOaA63L9_blX2lc6Dv3dztXyMRuquceOPguOa_G2UD32-rEM-a-Ltt8hKUU8oQZ7BXBB8l-/s1600/iptables_after_knock_closed_www.hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg10Hwu4L6yAHomwQ2jSZ3ZCHYjJfWKC431IPW1b-qU2qyrUw3WGasrdHXFk5gvu0rfzXlobAOaA63L9_blX2lc6Dv3dztXyMRuquceOPguOa_G2UD32-rEM-a-Ltt8hKUU8oQZ7BXBB8l-/s1600/iptables_after_knock_closed_www.hackthesec.co.in.png" /></a></div> <div style="background-color: white; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> <br /></div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> On the previous one, after knock to open the port, we saw that the client IP Address - 10.1.6.14 - is allowed to enter the server by firewall. Now, after we knock to close the port, if we check with the same iptables command, the rule was deleted.</div> <h1 style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 20pt; letter-spacing: -1px; line-height: 1.2em; margin: 0px 0px 15px; padding: 0px;"> <span style="color: #0b5394;"><u>Close the port Automatically</u></span></h1> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> Since the close port activity is triggered by client, we will have the possibility that the client forget to close the port. We don’t want it to happen. So we can configure knockd to close the port automatically.</div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> In order to do that, <strong>we need to customize</strong> the knockd configuration file. Here is the sample of modified knockd configuration file.</div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmfGYEcrmFo1Wvrx5TEsjimq2xDLWx1inxWnY9CSCKNABB2u4tERKJ9cr1p6BbpLVrOrekaIxhr8p4WCnsiwHp-RT1JSy4T_PJMRyBL-yiAM6HQ8MlQNkX5DpP2qFBLO9MNuQjyDG1-pTq/s1600/auto_close_conf_www.hackthesec.co.in.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmfGYEcrmFo1Wvrx5TEsjimq2xDLWx1inxWnY9CSCKNABB2u4tERKJ9cr1p6BbpLVrOrekaIxhr8p4WCnsiwHp-RT1JSy4T_PJMRyBL-yiAM6HQ8MlQNkX5DpP2qFBLO9MNuQjyDG1-pTq/s1600/auto_close_conf_www.hackthesec.co.in.png" /></a></div> <div style="background-color: white; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> <br /></div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> The command still looks identical. The difference with the previous configuration is we put [openSSH] section and [closeSSH] section in the same block.</div> <div style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> Then we add <strong>cmd_timeout = 10</strong> line to tell the server <strong>to execute the stop_command 10 seconds after start_command is executed</strong>. The port will be automatically closed, but the established connection remain connected.</div> <div style="background-color: white; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> <a href="http://www.hackthesec.co.in/" target="_blank">www.hackthesec.co.in</a><br /> <a href="http://www.twitter.com/hackthesecurity">www.twitter.com/hackthesecurity</a></div> <div style="background-color: white; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 15px; word-break: break-word;"> <br /></div> </div> </div>

How to Hide Application Port Using knockd in Linux

Hide  Application  Port Using knockd in Linux As a system administrator, we should do everything to secure our server from attackers. A...

Read more »