We protect the system. Or how to configure and use port knocking
Salam papalam all!
Then I puzzled how you can make your server more secure. Using iptables directly with IP blocking did not solve the problem, since I can connect to the server not only from a working PC, but also from a pub, or from another city, or on a bus (when I stand in traffic jams).
Decided to use port knocking .
Who never used it, you are welcome under kat.
For those who are not in the subject, I’ll briefly say: this is a daemon that “listens” to the network interface and if it “heard” that requests are being sent to 7000.8000.9000 ports, it adds an allow rule for your IP to a port defined in advance by you. It simply executes the command to allow or deny access to iptables.
')
So, I wanted to cover up from all ssh.
First install the daemon itself (for tests I used my working PC on Ubuntu):
For CentOS, you can install it like this:
Next, we need to edit the configuration of this daemon (/etc/knockd.conf):
Then restart the daemon:
Next, add a prohibiting rule for all on port 22:
In the [openSSH] section, notice the lines -I INPUT 1 . If we just write -A INPUT instead, it will be added to the end of the chain of rules, and therefore only the uppermost rule will work. Therefore, we write so that the prohibition rule is added to the end.
The sequence indicates which port sequences we will open for ourselves. Be sure to point your own.
You can also specify the protocol, for example: 7000: udp, 8000: udp, 9000: tcp
tcpflags - here we indicate which headers should be contained in the transmitted packets.
In the [closeSSH] section, specify the reverse sequence for closing the 22nd port. And there is also a command to remove your IP from the list of allowed.
Now the question arises: how to send this magic sequence to the ports?
From the developer's site, you can download the program for popular platforms. There are also other examples of use.
In Windows, I used it like this: downloaded, unpacked. Opened the command prompt,
Everything, opened the port. Now we can log in via SSH!
If you want to use it for another protocol, write the [openFTP] , [closeFTP] section with the same rules in the same way, just change the ports to the required one and that's it.
The downsides to this thing are that you need to use an additional prog before connecting. But, it seems to me that for the sake of safety you can suffer.
All security!
Then I puzzled how you can make your server more secure. Using iptables directly with IP blocking did not solve the problem, since I can connect to the server not only from a working PC, but also from a pub, or from another city, or on a bus (when I stand in traffic jams).
Decided to use port knocking .
Who never used it, you are welcome under kat.
For those who are not in the subject, I’ll briefly say: this is a daemon that “listens” to the network interface and if it “heard” that requests are being sent to 7000.8000.9000 ports, it adds an allow rule for your IP to a port defined in advance by you. It simply executes the command to allow or deny access to iptables.
')
So, I wanted to cover up from all ssh.
First install the daemon itself (for tests I used my working PC on Ubuntu):
sudo apt-get install knockd For CentOS, you can install it like this:
sudo rpm -Uhv http://pkgs.repoforge.org/knock/knock-0.5-3.el6.rf.x86_64.rpm Next, we need to edit the configuration of this daemon (/etc/knockd.conf):
[options] UseSyslog [openSSH] sequence = 7000:tcp,8000:tcp, 9000:udp seq_timeout = 5 command = /sbin/iptables -I INPUT 1 -s %IP% -d _IP____ -p tcp --dport 22 -j ACCEPT tcpflags = syn [closeSSH] sequence = 9000:udp,8000:tcp,7000:tcp seq_timeout = 5 command = /sbin/iptables -D INPUT -s %IP% -d _IP____ -p tcp --dport 22 -j ACCEPT tcpflags = syn Then restart the daemon:
sudo /etc/init.d/knockd restart Next, add a prohibiting rule for all on port 22:
sudo iptables -A INPUT -s 0/0 -d _IP____ -p tcp --dport 22 -j REJECT In the [openSSH] section, notice the lines -I INPUT 1 . If we just write -A INPUT instead, it will be added to the end of the chain of rules, and therefore only the uppermost rule will work. Therefore, we write so that the prohibition rule is added to the end.
The sequence indicates which port sequences we will open for ourselves. Be sure to point your own.
You can also specify the protocol, for example: 7000: udp, 8000: udp, 9000: tcp
tcpflags - here we indicate which headers should be contained in the transmitted packets.
In the [closeSSH] section, specify the reverse sequence for closing the 22nd port. And there is also a command to remove your IP from the list of allowed.
Now the question arises: how to send this magic sequence to the ports?
From the developer's site, you can download the program for popular platforms. There are also other examples of use.
In Windows, I used it like this: downloaded, unpacked. Opened the command prompt,
cd ____ knock 192.168.0.1 7000:tcp 8000:tcp 9000:udp Everything, opened the port. Now we can log in via SSH!
If you want to use it for another protocol, write the [openFTP] , [closeFTP] section with the same rules in the same way, just change the ports to the required one and that's it.
The downsides to this thing are that you need to use an additional prog before connecting. But, it seems to me that for the sake of safety you can suffer.
All security!
Source: https://habr.com/ru/post/194412/
All Articles