Changing the port numbers is not a proper security policy. Changing the port numbers and services is a common mistake. Hackers going to find out what you hiding by just a simple port scanner and it takes about 2 minutes, nothing more. Nmap will take care of this process and it’s over.
Install Port-Knocking Client/Server
There is a flexible port-knocking server and client. You can easily install it by the port tree or pkg:
# cd /usr/ports/security/knock
# make install clean rehash
Tip: issue above commands on both client and server.
knock consists of two apps:
- knockd
port-knocking server - knock
port-knocking client
Configure Port-Knocking Server
To configure knockd service you have to edit knockd.conf. So first create a conf file from the sample and then add configurations:
# cp /usr/local/etc/knockd.conf.sample /usr/local/etc/knockd.conf
# ee /usr/local/etc/knockd.conf
contents of knockd.conf:
[options]
logfile = /var/log/knockd.log
interface = re0
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 5
command = /sbin/ipfw -q add 00100 pass proto tcp src-ip %IP% dst-port 22
tcpflags = syn
[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 5
command = /sbin/ipfw -q delete 00100 pass proto tcp src-ip %IP% dst-port 22
tcpflags = syn
as you can see there is 3 sections and many directives. Option section that is dedicated to interface name and log file. Other 2 sections are for executing command by custom sequence of ports within 5 seconds that has syn flag.
The first command adds a rule number 00100 to ipfw that allows connection to ssh port by IP address of who knocked successfully.
The second command deletes previous rule. But you can execute any command.
One of the most important directives is One_Time_Sequences. You can add this directive by:
One_Time_Sequences = /path/to/one_time_sequences_file
The file containing the one-time sequences to be used. Instead of using a fixed sequence, knockd will read the sequence to be used from that file. After each successful knock attempt, this sequence will be disabled by writing a ‘#’ character at the first position of the line containing the used sequence. That used sequence will then be replaced by the next valid sequence from the file.
Also TCPFlags directive can be these values:
TCPFlags = fin|syn|rst|psh|ack|urg
When using TCP flags, knockd will IGNORE TCP packets that don’t match the flags. This is different than the normal behavior, where an incorrect packet would invalidate the entire knock, forcing the client to start over. Using “TCPFlags = syn” is useful if you are testing over an SSH connection, as the ssh traffic will usually interfere with (and thus invalidate) the knock. Separate multiple flags with commas (eg, TCPFlags = syn,ack,urg). Flags can be explicitly excluded by a “!” (eg,TCPFlags = syn,!ack).
On your server issue this to run port-knocking server:
# knockd
Port-Knocking
On your client issue this:
# knock “server IP” 7000 8000 9000
Replace “server IP” with your servers IP.
There are other ways to do port-knocking:
-
Nmap
The nmap is a Network exploration tool and security/port scanner but you issue this command to port-knocking:
# for x in 7000 8000 9000; do nmap -Pn –host_timeout 201 –max-retries 0 -p $x “server IP”; done -
Netcat
The NC (or netcat) utility is used for just about anything under the sun involving TCP, UDP, or UNIX domain sockets. It can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4 and IPv6.
And can do the same thing with:
# nc -z “server IP” 1000 2000 3000
You can get full edition at:
https://bsdmag.org/download/freebsd-port-knocking/
Or:
https://contents.meetbsd.ir/ebook/port_knocking_bsdmag.pdf
