特殊:Badtitle/NS100:PortKnocking
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/PortKnocking }} |
点击翻译: |
English {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/af | • {{#if: UbuntuHelp:PortKnocking|Afrikaans| [[::PortKnocking/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/ar | • {{#if: UbuntuHelp:PortKnocking|العربية| [[::PortKnocking/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/az | • {{#if: UbuntuHelp:PortKnocking|azərbaycanca| [[::PortKnocking/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/bcc | • {{#if: UbuntuHelp:PortKnocking|جهلسری بلوچی| [[::PortKnocking/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/bg | • {{#if: UbuntuHelp:PortKnocking|български| [[::PortKnocking/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/br | • {{#if: UbuntuHelp:PortKnocking|brezhoneg| [[::PortKnocking/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/ca | • {{#if: UbuntuHelp:PortKnocking|català| [[::PortKnocking/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/cs | • {{#if: UbuntuHelp:PortKnocking|čeština| [[::PortKnocking/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/de | • {{#if: UbuntuHelp:PortKnocking|Deutsch| [[::PortKnocking/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/el | • {{#if: UbuntuHelp:PortKnocking|Ελληνικά| [[::PortKnocking/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/es | • {{#if: UbuntuHelp:PortKnocking|español| [[::PortKnocking/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/fa | • {{#if: UbuntuHelp:PortKnocking|فارسی| [[::PortKnocking/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/fi | • {{#if: UbuntuHelp:PortKnocking|suomi| [[::PortKnocking/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/fr | • {{#if: UbuntuHelp:PortKnocking|français| [[::PortKnocking/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/gu | • {{#if: UbuntuHelp:PortKnocking|ગુજરાતી| [[::PortKnocking/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/he | • {{#if: UbuntuHelp:PortKnocking|עברית| [[::PortKnocking/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/hu | • {{#if: UbuntuHelp:PortKnocking|magyar| [[::PortKnocking/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/id | • {{#if: UbuntuHelp:PortKnocking|Bahasa Indonesia| [[::PortKnocking/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/it | • {{#if: UbuntuHelp:PortKnocking|italiano| [[::PortKnocking/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/ja | • {{#if: UbuntuHelp:PortKnocking|日本語| [[::PortKnocking/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/ko | • {{#if: UbuntuHelp:PortKnocking|한국어| [[::PortKnocking/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/ksh | • {{#if: UbuntuHelp:PortKnocking|Ripoarisch| [[::PortKnocking/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/mr | • {{#if: UbuntuHelp:PortKnocking|मराठी| [[::PortKnocking/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/ms | • {{#if: UbuntuHelp:PortKnocking|Bahasa Melayu| [[::PortKnocking/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/nl | • {{#if: UbuntuHelp:PortKnocking|Nederlands| [[::PortKnocking/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/no | • {{#if: UbuntuHelp:PortKnocking|norsk| [[::PortKnocking/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/oc | • {{#if: UbuntuHelp:PortKnocking|occitan| [[::PortKnocking/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/pl | • {{#if: UbuntuHelp:PortKnocking|polski| [[::PortKnocking/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/pt | • {{#if: UbuntuHelp:PortKnocking|português| [[::PortKnocking/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/ro | • {{#if: UbuntuHelp:PortKnocking|română| [[::PortKnocking/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/ru | • {{#if: UbuntuHelp:PortKnocking|русский| [[::PortKnocking/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/si | • {{#if: UbuntuHelp:PortKnocking|සිංහල| [[::PortKnocking/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/sq | • {{#if: UbuntuHelp:PortKnocking|shqip| [[::PortKnocking/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/sr | • {{#if: UbuntuHelp:PortKnocking|српски / srpski| [[::PortKnocking/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/sv | • {{#if: UbuntuHelp:PortKnocking|svenska| [[::PortKnocking/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/th | • {{#if: UbuntuHelp:PortKnocking|ไทย| [[::PortKnocking/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/tr | • {{#if: UbuntuHelp:PortKnocking|Türkçe| [[::PortKnocking/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/vi | • {{#if: UbuntuHelp:PortKnocking|Tiếng Việt| [[::PortKnocking/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/yue | • {{#if: UbuntuHelp:PortKnocking|粵語| [[::PortKnocking/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/zh | • {{#if: UbuntuHelp:PortKnocking|中文| [[::PortKnocking/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/zh-hans | • {{#if: UbuntuHelp:PortKnocking|中文(简体)| [[::PortKnocking/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:PortKnocking | UbuntuHelp:PortKnocking | {{#if: | :}}PortKnocking}}/zh-hant | • {{#if: UbuntuHelp:PortKnocking|中文(繁體)| [[::PortKnocking/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:UbuntuHelp:PortKnocking|:PortKnocking|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :PortKnocking/zh | | {{#ifexist: PortKnocking/zh | | {{#ifeq: {{#titleparts:PortKnocking|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:PortKnocking|1|-1|}} | zh | | }}
What is Port Knocking ?
Port knocking is a simple and great method to grant remote access without leaving a port constantly open. This preserves your server from port scanning and script kiddie attacks.
To utilize port knocking, the server must have a firewall and run the knock-daemon. As the name lets us imaginate, the daemon is listening for a specific sequence of TCP or UDP "knocks". If the sequence is played correctly then a command is executed, typically, the port of the application is opened for the source IP address through the firewall. This method is perfectly secure, as port knocking is located at a very low level in the TCP/IP stack and does not require any opened ports. The knock-daemon is also invisible to attackers.
On the client side, the only thing you have to do is to play the sequence. You can do that whith the client that you prefer, a client program also exists called knock.
Server Setup
The setup of the server is quite easy. First, you have to ensure that your server has a running firewall. Then, install the following packages: knockd
(see InstallingSoftware).
Then, edit the configuration file. We will present two different approches. One that is more adapted to connections with no keep-alive (http for example !), another mode adapted to permenant connections (SSH, IRC...).
As you will notice, the syntax of the configuration file is quite easy to understand.
Example 1
Here is the default configuration file for the knock daemon (/etc/knockd.conf
) :
[options] logfile = /var/log/knockd.log [openSSH] sequence = 7000,8000,9000 seq_timeout = 5 command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 80 -j ACCEPT tcpflags = syn [closeSSH] sequence = 9000,8000,7000 seq_timeout = 5 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 80 -j ACCEPT tcpflags = syn
Here we have defined two sequences :
- openSSH that opens the http port if the 7000,8000 and 9000 ports are knocked
- closeSSH that close the http port if the 9000,8000 and 7000 ports are knocked
Example 2
The second example file is a bit different from the orginal :
options] logfile = /var/log/knockd.log [SSH] sequence = 7000,8000,9000 seq_timeout = 5 command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn cmd_timeout = 10 stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
In the default configuration file, you have two sequences :
- one for opening the port
- a second one for closing the port
We advocate for opening the port fort a short time range (in the example 10s). For this example to be functionnal, you have to have a statefull firewall running on your server (which means you have to accept connections with -m state --state RELATED,ESTABLISHED
).
Let's explain this configuration file. If a user "knocks" ports 7000, 8000 and 9000 (in that order), the command will be played (opening port 22). Ten secondes later, the stop_command
will be executed, closing the port.
Do not forget to change the sequence (this is the example provided by the default installation), and... to provide the sequence to your users.
Change the default configuration /etc/default/knockd
in order that the knock-daemon is lanched :
# # knockd's default file, for generic sys config # # control if we start knockd at init or not # 1 = start # anything else = don't start START_KNOCKD=1 # command line options #KNOCKD_OPTS="-i eth0"
Now, just launch the daemon :
sudo /etc/init.d/knockd start
That's it !
Client Side
On the client side, you can "knock" with whatever client you want : telnet
, nc
or even the software used to connect to the server (for example ssh
).
But, for more simplicity, you also have the knock client. Install the following packages: knockd
(see InstallingSoftware).
For knocking, just lanch the command !
knock ''hostname'' ''port1'' ''port2'' ''port3''
Then connect to your application.
Conclusion
You have done it ! Easy to setup, but very efficient, isn't it ?
Notice
Simple portknocking daemons as knockd are vulnerable because a sniffer may recover which ports where knocked. A better solution is Cryptknock (http://cryptknock.sourceforge.net/) Cryptknock's description says: "Cryptknock is an encrypted port knocking tool. Unlike other port knockers which use TCP ports or other protocol information to signal the knock, an encrypted string is used as the knock. This makes it extremely difficult for an evesdropper to recover your knock (unlike other port knockers where tcpdump can be used to discover a port knock)."
Links
The orginal project Detailed explanations on how it works and a reference implementation.
The port knocking daemon The Ubuntu package is build from this release. A Win32 package is also available. You will also find other examples and some documentation.