The installation of the port knocking daemon is quite simple:
sudo apt-get install knockd
To start the knockd daemon automatically: uncomment START_KNOCKD=1
in /etc/default/knockd
.
Configuration:
Edit the config file /etc/knockd.conf
:
[options] logfile = /var/log/knockd.log [openSSH] sequence = 7000,8000,9000 seq_timeout = 5 command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 --syn -j ACCEPT tcpflags = syn [closeSSH] sequence = 9000,8000,7000 seq_timeout = 5 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 --syn -j ACCEPT tcpflags = syn
to open the port run (on the client side):
knock -v 10.0.0.42 7000 8000 9000
Making sure, knockd is running (you can do this every 10 minutes via cron etc.):
pid=`/bin/pidof knockd` if [ "$pid" == "" ] ; then echo "Starting knockd again."; sudo service knockd restart fi
port knocking client on windows
Get Native Win32 Client from http://www.zeroflux.org/projects/knock. Unzip and execute the following command:
knock -v 10.0.0.42 7000 8000 9000
Resources
- https://help.ubuntu.com/community/PortKnocking
- http://www.linux-magazin.de/heft_abo/ausgaben/2008/08/klopffest (German)
- Alternative Single Packet Authorization
- Other related stuff: