1

I'm trying to add port-knocking to my home network setup so that I can hide a couple of services from the world (ssh being the most important one). I came across knockd which seems like a perfect solution, except that it is flat-out not working for me.

My plan is to run an instance of knockd on a server machine that is inside my home network firewall. I'll port-forward from the router/firewall all the ports necessary for the port-knocking sequence. E.g. I'll forward ports 100, 200, 300, 400 plus port 22 to the server (obviously, those won't be the actual ports I'll use since I've advertised them here). Then I'll block port 22 on the interior server and setup knockd rules to open it for a small window of time when the correct port-knock sequence is sent (in this example, 100 - 200 - 300 - 400). For my initial setup and testing, I'm just trying to get the port knocking to work from within the firewalled network setup. I have knockd running on the server, and I'm knocking from another machine within the network - port forwarding should not be complicating my test setup.

This just isn't working. I send down the knock sequence and I can't find any evidence that knockd has detected it. Nothing in knockd's log (even after turning on debugging info), nothing to stdout. I've tried to make things simple by just having knockd write out a file into /tmp when it gets the right sequence -- i.e. I'm not even doing anything complicated on the server with iptables yet -- and I'm getting no success.

I've tried implementing the knock in a couple of ways as suggested by cookbook sites. 4 telnet commands to send the sequence, knock via "nc -z HOST PORT PORT PORT", and even the knock command line client itself.

The server I'm using happens to also be running vmware server 2.0.2. Since knockd listens at level 2 in the network stack (from what I understand) I was wondering if there might be a conflict between what vmware is doing to support bridged networking and what knockd is doing.

I tried a similar setup inside a VM running on the above mentioned server and still nothing works. So that had me wondering again if vmware is munging things at a low networking level to support the guest.

So I'm wondering if anyone knows more detail here. Can a technology like knockd be used in a vmware environment? Do I have to setup a separate, real server just to support this kind of stealth for ssh in my home network?

Rick Reynolds
  • 341
  • 3
  • 10

2 Answers2

0

I used to use knockd - and can't see any reason it wouldn't run alongside vmware server, or on a virtual machine - other than perhaps a conflict within your iptables setup. You should not need to set up a separate box for this.

However, if you have a separate box to use, it might be worthwhile setting up a dedicated server terporarily JUST TO GET THE SETUP WORKING - with a minimum of variables. Then transfer your tested config file(s) to the real box.

Brent
  • 22,857
  • 19
  • 70
  • 102
  • Yes, I'll probably end up trying that at some point if I can't get knockd to respond in my current setup. – Rick Reynolds Nov 09 '09 at 21:51
  • I found my issue. I had copied a recipe for doing this that had the following setting: tcpflags = syn,ack Removing the "ack" got it working. – Rick Reynolds Nov 10 '09 at 03:22
0

Although I have nothing against this "port-knocking" technique, I would recommend:

  • running sshd on a non standard port
  • do not permit root logins through sshd
  • do not open ports in your firewall for the services that you do not want to expose to the world, but use SSH's port forwarding functionality to securely and privately connect to those services.

This is a lot more convenient than port-knocking and, IMHO, slightly more secure.

Born To Ride
  • 1,084
  • 6
  • 10