特殊:Badtitle/NS100:PortKnocking:修订间差异
小无编辑摘要 |
小无编辑摘要 |
||
(未显示同一用户的2个中间版本) | |||
第8行: | 第8行: | ||
== Server Setup == | == Server Setup == | ||
The setup of the server is straightforward. First, ensure that your server has a running firewall. Then, install the <code><nowiki>knockd</nowiki></code> package (see [[UbuntuHelp:InstallingSoftware|InstallingSoftware]]). | The setup of the server is straightforward. First, ensure that your server has a running firewall. Then, install the <code><nowiki>knockd</nowiki></code> package (see [[UbuntuHelp:InstallingSoftware|InstallingSoftware]]). | ||
After the package is installed, edit its configuration file. | After the package is installed, edit its configuration file. Three approaches are presented below: the first is intended for connections with no keep-alive (such as HTTP), while the other two are intended for permanent connections (such as SSH and IRC). | ||
== Example 1 == | == Example 1 == | ||
<pre><nowiki> | <pre><nowiki> | ||
第43行: | 第43行: | ||
stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT | stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT | ||
</nowiki></pre> | </nowiki></pre> | ||
It's recommended to open the port for a short time (ten seconds, in | == Example 3 == | ||
This example uses UFW commands instead of iptables: | |||
<pre><nowiki> | |||
[options] | |||
logfile = /var/log/knockd.log | |||
[SSH] | |||
sequence = 7000,8000,9000 | |||
seq_timeout = 5 | |||
start_command = ufw allow from %IP% to any port 22 | |||
tcpflags = syn | |||
cmd_timeout = 10 | |||
stop_command = ufw delete allow from %IP% to any port 22 | |||
</nowiki></pre> | |||
It's recommended to open the port for a short time (ten seconds, in the examples above). For this to be functional, you must have a state-full firewall running on your server (if using iptables, there must be a rule to accept connections with <code><nowiki>-m conntrack --ctstate RELATED,ESTABLISHED</nowiki></code>). | |||
Let's explain this configuration file. If a user "knocks" on ports 7000, 8000 and 9000 (in order), the command will be played (opening port 22). Ten seconds later, the <code><nowiki>stop_command</nowiki></code> will be executed, closing the port to new connections. | Let's explain this configuration file. If a user "knocks" on ports 7000, 8000 and 9000 (in order), the command will be played (opening port 22). Ten seconds later, the <code><nowiki>stop_command</nowiki></code> will be executed, closing the port to new connections. | ||
Do not forget to change the sequence (this is the example provided by the default installation) and, of course provide the sequence to your users. | Do not forget to change the sequence (this is the example provided by the default installation) and, of course provide the sequence to your users. | ||
You must also change the default configuration file <code><nowiki>/etc/default/knockd</nowiki></code> for the knockd daemon to start. Uncomment the START_KNOCKD=1 line to enable the daemon. | You must also change the default configuration file <code><nowiki>/etc/default/knockd</nowiki></code> for the knockd daemon to start. Uncomment the START_KNOCKD=1 line to enable the daemon. | ||
If you have multiple network adapters or experience issues with knockd not starting automatically during system startup, you can manually specify the network interface to listen on by uncommenting and amending the second line KNOCKD_OPTS as well: | |||
<pre><nowiki> | |||
# | |||
# knockd's default file, for generic sys config | |||
# | |||
# control if we start knockd at init or not | |||
# 1 = start | |||
# anything else = don't start | |||
START_KNOCKD=1 | |||
# command line options | |||
KNOCKD_OPTS="-i eth0" | |||
</nowiki></pre> | |||
That's it! | That's it! | ||
== Client Side == | == Client Side == | ||
第55行: | 第83行: | ||
knock ''hostname'' ''port1'' ''port2'' ''port3'' | knock ''hostname'' ''port1'' ''port2'' ''port3'' | ||
</nowiki></pre> | </nowiki></pre> | ||
Adding the -v option specifies that the request is verbose giving some feedback to the command, so if your target server IP was 192.168.1.250, the command and feedback would be: | |||
<pre><nowiki> | |||
knock -v 192.168.1.250 7000,8000,9000 | |||
hitting tcp 192.168.1.250:7000 | |||
hitting tcp 192.168.1.250:8000 | |||
hitting tcp 192.168.1.250:9000 | |||
</nowiki></pre> | |||
If everything is working correctly, this should prompt the target server to open the hole in the firewall to allow access so you can then connect to your application. | |||
== Notice == | == Notice == | ||
Simple portknocking daemons (such as knockd) are vulnerable because a sniffer may recover the port sequence that was used. | Simple portknocking daemons (such as knockd) are vulnerable because a sniffer may recover the port sequence that was used. | ||
第67行: | 第103行: | ||
* [[UbuntuHelp:SinglePacketAuthorization|SinglePacketAuthorization]] | * [[UbuntuHelp:SinglePacketAuthorization|SinglePacketAuthorization]] | ||
---- | ---- | ||
[[category:CategorySecurity | [[category:CategorySecurity]] | ||
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] |
2009年11月17日 (二) 20:22的最新版本
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/PortKnocking }} |
点击翻译: |
English {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/af | • {{#if: UbuntuHelp:PortKnocking|Afrikaans| [[::PortKnocking/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/ar | • {{#if: UbuntuHelp:PortKnocking|العربية| [[::PortKnocking/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/az | • {{#if: UbuntuHelp:PortKnocking|azərbaycanca| [[::PortKnocking/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/bcc | • {{#if: UbuntuHelp:PortKnocking|جهلسری بلوچی| [[::PortKnocking/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/bg | • {{#if: UbuntuHelp:PortKnocking|български| [[::PortKnocking/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/br | • {{#if: UbuntuHelp:PortKnocking|brezhoneg| [[::PortKnocking/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/ca | • {{#if: UbuntuHelp:PortKnocking|català| [[::PortKnocking/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/cs | • {{#if: UbuntuHelp:PortKnocking|čeština| [[::PortKnocking/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/de | • {{#if: UbuntuHelp:PortKnocking|Deutsch| [[::PortKnocking/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/el | • {{#if: UbuntuHelp:PortKnocking|Ελληνικά| [[::PortKnocking/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/es | • {{#if: UbuntuHelp:PortKnocking|español| [[::PortKnocking/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/fa | • {{#if: UbuntuHelp:PortKnocking|فارسی| [[::PortKnocking/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/fi | • {{#if: UbuntuHelp:PortKnocking|suomi| [[::PortKnocking/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/fr | • {{#if: UbuntuHelp:PortKnocking|français| [[::PortKnocking/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/gu | • {{#if: UbuntuHelp:PortKnocking|ગુજરાતી| [[::PortKnocking/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/he | • {{#if: UbuntuHelp:PortKnocking|עברית| [[::PortKnocking/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/hu | • {{#if: UbuntuHelp:PortKnocking|magyar| [[::PortKnocking/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/id | • {{#if: UbuntuHelp:PortKnocking|Bahasa Indonesia| [[::PortKnocking/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/it | • {{#if: UbuntuHelp:PortKnocking|italiano| [[::PortKnocking/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/ja | • {{#if: UbuntuHelp:PortKnocking|日本語| [[::PortKnocking/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/ko | • {{#if: UbuntuHelp:PortKnocking|한국어| [[::PortKnocking/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/ksh | • {{#if: UbuntuHelp:PortKnocking|Ripoarisch| [[::PortKnocking/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/mr | • {{#if: UbuntuHelp:PortKnocking|मराठी| [[::PortKnocking/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/ms | • {{#if: UbuntuHelp:PortKnocking|Bahasa Melayu| [[::PortKnocking/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/nl | • {{#if: UbuntuHelp:PortKnocking|Nederlands| [[::PortKnocking/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/no | • {{#if: UbuntuHelp:PortKnocking|norsk| [[::PortKnocking/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/oc | • {{#if: UbuntuHelp:PortKnocking|occitan| [[::PortKnocking/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/pl | • {{#if: UbuntuHelp:PortKnocking|polski| [[::PortKnocking/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/pt | • {{#if: UbuntuHelp:PortKnocking|português| [[::PortKnocking/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/ro | • {{#if: UbuntuHelp:PortKnocking|română| [[::PortKnocking/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/ru | • {{#if: UbuntuHelp:PortKnocking|русский| [[::PortKnocking/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/si | • {{#if: UbuntuHelp:PortKnocking|සිංහල| [[::PortKnocking/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/sq | • {{#if: UbuntuHelp:PortKnocking|shqip| [[::PortKnocking/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/sr | • {{#if: UbuntuHelp:PortKnocking|српски / srpski| [[::PortKnocking/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/sv | • {{#if: UbuntuHelp:PortKnocking|svenska| [[::PortKnocking/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/th | • {{#if: UbuntuHelp:PortKnocking|ไทย| [[::PortKnocking/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/tr | • {{#if: UbuntuHelp:PortKnocking|Türkçe| [[::PortKnocking/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/vi | • {{#if: UbuntuHelp:PortKnocking|Tiếng Việt| [[::PortKnocking/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/yue | • {{#if: UbuntuHelp:PortKnocking|粵語| [[::PortKnocking/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/zh | • {{#if: UbuntuHelp:PortKnocking|中文| [[::PortKnocking/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/zh-hans | • {{#if: UbuntuHelp:PortKnocking|中文(简体)| [[::PortKnocking/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/zh-hant | • {{#if: UbuntuHelp:PortKnocking|中文(繁體)| [[::PortKnocking/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:UbuntuHelp:PortKnocking|:PortKnocking|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :PortKnocking/zh | | {{#ifexist: PortKnocking/zh | | {{#ifeq: {{#titleparts:PortKnocking|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:PortKnocking|1|-1|}} | zh | | }}
- title Port Knocking
What is Port Knocking ?
Port knocking is a simple method to grant remote access without leaving a port constantly open. This preserves your server from port scanning and script kiddie attacks. To utilize port knocking, the server must have a firewall and run the knock-daemon. As the name conveys, the daemon is listening for a specific sequence of TCP or UDP "knocks". If the sequence is given correctly, then a command is executed; typically the source IP address is given access through the firewall to the port of an application (such as SSH). This method is reasonably secure, as port knocking is located at a very low level in the TCP/IP stack and does not require any opened ports. The knock-daemon is also invisible to potential attackers. On the client side, the only thing needed is to play the sequence with the client of your choice (such as knock).
Server Setup
The setup of the server is straightforward. First, ensure that your server has a running firewall. Then, install the knockd
package (see InstallingSoftware).
After the package is installed, edit its configuration file. Three approaches are presented below: the first is intended for connections with no keep-alive (such as HTTP), while the other two are intended for permanent connections (such as SSH and IRC).
Example 1
[options] logfile = /var/log/knockd.log [openHTTP] sequence = 7000,8000,9000 seq_timeout = 5 command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 80 -j ACCEPT tcpflags = syn [closeHTTP] sequence = 9000,8000,7000 seq_timeout = 5 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 80 -j ACCEPT tcpflags = syn
Here we have defined two sequences :
- openHTTP opens the HTTP port if the 7000, 8000 and 9000 port sequence is "knocked"
- closeHTTP closes the HTTP port if the 9000, 8000 and 7000 port sequence is "knocked"
Example 2
The second example is a bit different from the original:
[options] logfile = /var/log/knockd.log [SSH] sequence = 7000,8000,9000 seq_timeout = 5 command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn cmd_timeout = 10 stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
Example 3
This example uses UFW commands instead of iptables:
[options] logfile = /var/log/knockd.log [SSH] sequence = 7000,8000,9000 seq_timeout = 5 start_command = ufw allow from %IP% to any port 22 tcpflags = syn cmd_timeout = 10 stop_command = ufw delete allow from %IP% to any port 22
It's recommended to open the port for a short time (ten seconds, in the examples above). For this to be functional, you must have a state-full firewall running on your server (if using iptables, there must be a rule to accept connections with -m conntrack --ctstate RELATED,ESTABLISHED
).
Let's explain this configuration file. If a user "knocks" on ports 7000, 8000 and 9000 (in order), the command will be played (opening port 22). Ten seconds later, the stop_command
will be executed, closing the port to new connections.
Do not forget to change the sequence (this is the example provided by the default installation) and, of course provide the sequence to your users.
You must also change the default configuration file /etc/default/knockd
for the knockd daemon to start. Uncomment the START_KNOCKD=1 line to enable the daemon.
If you have multiple network adapters or experience issues with knockd not starting automatically during system startup, you can manually specify the network interface to listen on by uncommenting and amending the second line KNOCKD_OPTS as well:
# # knockd's default file, for generic sys config # # control if we start knockd at init or not # 1 = start # anything else = don't start START_KNOCKD=1 # command line options KNOCKD_OPTS="-i eth0"
That's it!
Client Side
On the client side, you can "knock" with the client of your choice: telnet
, nc
or even the software used to connect to the server (for example ssh
). If you do not use a client designed for portknocking, you must do the knock sequence manually.
An easier method is to use the knock client. Install the knockd
package (see InstallingSoftware).
For knocking, launch the command:
knock ''hostname'' ''port1'' ''port2'' ''port3''
Adding the -v option specifies that the request is verbose giving some feedback to the command, so if your target server IP was 192.168.1.250, the command and feedback would be:
knock -v 192.168.1.250 7000,8000,9000 hitting tcp 192.168.1.250:7000 hitting tcp 192.168.1.250:8000 hitting tcp 192.168.1.250:9000
If everything is working correctly, this should prompt the target server to open the hole in the firewall to allow access so you can then connect to your application.
Notice
Simple portknocking daemons (such as knockd) are vulnerable because a sniffer may recover the port sequence that was used. A better solution is Cryptknock (http://cryptknock.sourceforge.net/) Cryptknock's description says: "Cryptknock is an encrypted port knocking tool. Unlike other port knockers which use TCP ports or other protocol information to signal the knock, an encrypted string is used as the knock. This makes it extremely difficult for an eavesdropper to recover your knock (unlike other port knockers where tcpdump can be used to discover a port knock)."
Links
The orginal project Detailed explanations on how it works and a reference implementation. The port knocking daemon The Ubuntu package is build from this release. A Win32 package is also available. You will also find other examples and some documentation.