Port knocking or how to protect yourself from ssh brut
We will talk about the fight against annoying brute force and port scanners who strive in every way to get access to the server. The article will talk about Port Knocking technology, which allows to secure access to the server by hiding ports.
Port Knocking technology has an interesting feature. It uses several attempts to connect to closed ports. You ask: “Why is it necessary?” Let's imagine that you came to an interview at some organization with access control. First you get to (1) the security post, where you are issued a pass, then (2) you go to the personnel department, where you fill out a questionnaire and talk with you, and eventually (3) you go to the manager’s office, which conducts the final conversation and makes a decision. And now let's imagine what would happen if everyone willing went directly to the manager?
The Port Knocking technology performs a sequence of attempts to connect to closed ports. Even despite the fact that all ports are closed, you can track all connection attempts in the firewall log files. The server, most often, does not respond to these connections, but it reads and processes them. But if the series of connections was pre-marked by the user, then a certain action will be performed. As an example, connecting to an SSH service on port 22. Port Knocking allows you to perform not only this action. the trigger allows you to perform other actions (say, power off, reboot the system, etc.).
')
On a remote machine, we have FreeBSD 9.1
Port Knocking consists of two programs:
- server (knockd)
- client (knock)
I will give an example of setting up the server side.
Go to the directory with the port and configure.
We put a marker on the server side, and then build and install the package.
Now let's do the customization.
First, copy the config.
There are many variations of config settings in the network, I will give my own.
knockd.conf
We save a config, we add in autostart and we start service.
To begin, enable Firewall support if it is disabled (as was the case in my case)
I do not recommend doing this procedure remotely, since all connections and access via ssh are blocked.
Note: If you did not obey and did this action remotely, then the problem can be solved by including root-login in sshhd-config.
/etc/pf.conf
We enter the rules in the settings of Firewall`a
Reboot.
To connect, I used a third-party client for MacOS - hping.
A little about the technology itself
Port Knocking technology has an interesting feature. It uses several attempts to connect to closed ports. You ask: “Why is it necessary?” Let's imagine that you came to an interview at some organization with access control. First you get to (1) the security post, where you are issued a pass, then (2) you go to the personnel department, where you fill out a questionnaire and talk with you, and eventually (3) you go to the manager’s office, which conducts the final conversation and makes a decision. And now let's imagine what would happen if everyone willing went directly to the manager?
The Port Knocking technology performs a sequence of attempts to connect to closed ports. Even despite the fact that all ports are closed, you can track all connection attempts in the firewall log files. The server, most often, does not respond to these connections, but it reads and processes them. But if the series of connections was pre-marked by the user, then a certain action will be performed. As an example, connecting to an SSH service on port 22. Port Knocking allows you to perform not only this action. the trigger allows you to perform other actions (say, power off, reboot the system, etc.).
')
Installation on FreeBSD
On a remote machine, we have FreeBSD 9.1
Port Knocking consists of two programs:
- server (knockd)
- client (knock)
I will give an example of setting up the server side.
# cd /usr/ports/ # make search key=knocking Port: doorman-0.81_1 Path: /usr/ports/security/doorman Info: Port knocking implementation, both daemon and client Maint: lupe@lupe-christoph.de B-deps: lsof-4.88.d,8 R-deps: lsof-4.88.d,8 WWW: http://doorman.sourceforge.net/ Port: knock-0.5_1,1 Path: /usr/ports/security/knock Info: Flexible port-knocking server and client Maint: sbz@FreeBSD.org B-deps: R-deps: WWW: http://www.zeroflux.org/projects/knock Go to the directory with the port and configure.
cd /usr/ports/security/knock make config We put a marker on the server side, and then build and install the package.
Configuration
Now let's do the customization.
First, copy the config.
# cd /usr/local/etc/ # cp knockd.conf.sample knockd.conf There are many variations of config settings in the network, I will give my own.
knockd.conf
[options] logfile = /var/log/knockd.log interface = em0 [opencloseSSH] sequence = 7000:udp,7007:tcp,7777:udp seq_timeout = 5 tcpflags = syn start_command = /sbin/pfctl -t good_hosts -T add %IP% cmd_timeout = 10 stop_command = /sbin/pfctl -t good_hosts -T delete %IP% [open22] sequence = 7134:tcp,7675:tcp,7253:udp seq_timeout = 5 tcpflags = syn command = /sbin/pfctl -t good_hosts -T add %IP% [close22] sequence = 7253:udp,7675:tcp,7134:tcp seq_timeout = 5 tcpflags = syn command = /sbin/pfctl -t good_hosts -T delete %IP% We save a config, we add in autostart and we start service.
# cd /usr/local/etc/rc.d/ # echo knockd_enable=\"YES\" >> /etc/rc.conf # service knockd start Firewall setup
To begin, enable Firewall support if it is disabled (as was the case in my case)
echo pf=\"YES\" >> /etc/rc.conf I do not recommend doing this procedure remotely, since all connections and access via ssh are blocked.
Note: If you did not obey and did this action remotely, then the problem can be solved by including root-login in sshhd-config.
/etc/pf.conf
ext_if="rl0" table <good_hosts> persist block in on $ext_if all pass in on $ext_if inet proto tcp from <good_hosts> \ to $ext_if port 22 keep state We enter the rules in the settings of Firewall`a
/sbin/ipfw add 100 allow tcp from %IP% to me 22 keep-state /sbin/ipfw delete 100 Reboot.
Knocking
To connect, I used a third-party client for MacOS - hping.
# knock -v *e*m*o*c*.ru 7000:udp,7007:tcp,7777:udp hitting udp *1.*0*.*3*.*0:7000 hitting tcp *1.*0*.*3*.*0:7007 hitting udp *1.*0*.*3*.*0:7777 # ssh *e*m*o*c*.ru -l root Password: Last login: Thu May 9 11:30:40 2013 from ***** FreeBSD 9.1-RELEASE-p3 (GENERIC) #0: Mon Apr 29 18:11:52 UTC 2013 root@*e*m*o*c*:/root # Source: https://habr.com/ru/post/179219/
All Articles