Exercise 38: Implementing Port Knocking for Secure Access

Objective

Configure and test port knocking as a security mechanism for secure remote access. Understand how port knocking can conceal service ports, reducing the risk of unauthorized access.

Scenario

A system administrator wants to secure SSH access on a Linux server by making it invisible to unauthorized users. In this exercise, you’ll install and configure port knocking using knockd, define a secret port sequence to open SSH, and test the setup. You’ll also analyze the advantages and limitations of using port knocking for security.

⚠️ Important: This exercise should be performed in a legal and controlled environment. Unauthorized access or modification of services is illegal and unethical.

Lab Instructions

Step 1: Install knockd

a. Install knockd on the Target Server

sudo apt update
sudo apt install knockd -y

b. Enable knockd Service

• Edit the knockd configuration to start on boot:

sudo nano /etc/default/knockd

• Modify:

START_KNOCKD=1

• Start the knockd service:

sudo systemctl start knockd
sudo systemctl enable knockd

Step 2: Configure Port Knocking

a. Edit knockd Configuration

sudo nano /etc/knockd.conf

• Add the following configuration:

[options]
    UseSyslog

[openSSH]
    sequence    = 7000,8000,9000
    seq_timeout = 5
    command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    tcpflags    = syn

[closeSSH]
    sequence    = 9000,8000,7000
    seq_timeout = 5
    command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    tcpflags    = syn

b. Restart knockd to Apply Changes

sudo systemctl restart knockd

Step 3: Configure Firewall to Block SSH by Default

• Block all SSH access initially:

sudo iptables -A INPUT -p tcp --dport 22 -j DROP

Step 4: Test Port Knocking

a. Install knock Client on Another Machine

sudo apt install knockd -y

b. Perform the Correct Knocking Sequence

• Send the port knock sequence to open SSH:

knock <server-ip> 7000 8000 9000

• Connect via SSH:

ssh user@<server-ip>

c. Close SSH Access

• Send the closing sequence:

knock <server-ip> 9000 8000 7000

• Verify that SSH is no longer accessible:

ssh user@<server-ip>

• Expected Result: SSH access is denied.

Step 5: Analyze Logs

• Check knockd logs for knock attempts:

sudo tail -f /var/log/syslog | grep knockd

Solution & Explanation

How Port Knocking Works

• Port knocking hides service ports (e.g., SSH) behind a sequence of connection attempts to closed ports.
• Only clients sending the correct sequence can access the service.

Advantages of Port Knocking

1. Stealth Security: SSH port remains hidden until the correct sequence is sent.
2. Minimal Resource Usage: No extra hardware or heavy software required.
3. Simple Implementation: Easy to configure and deploy.

Limitations of Port Knocking

1. Packet Sniffing Risk: Attackers on the same network can capture the knocking sequence.
2. No Encryption: Knocking sequences are sent in plaintext.
3. Limited Protection Against Brute-Force: Short sequences can be guessed.
4. Network Latency: High latency can disrupt the knock sequence.

Testing & Verification

• Before Knocking: SSH access should be blocked.
• After Correct Sequence: SSH access should be granted.
• After Closing Sequence: SSH access should be blocked again.

Verify Firewall Rules

sudo iptables -L -n -v | grep 22

Security Best Practices

1. Use Strong, Longer Knock Sequences: Increase complexity to prevent brute-force attempts.
2. Encrypt Knock Sequences: Use tools like fwknop for encrypted, single-packet authorization.
3. Combine with Fail2Ban: Block repeated failed knock attempts.
4. Implement Rate Limiting: Prevent rapid port scanning.

Additional Script (Optional)

Automate Port Knocking Configuration:

#!/bin/bash
# Configure knockd for SSH port knocking
sudo apt update
sudo apt install knockd -y
sudo sed -i 's/START_KNOCKD=0/START_KNOCKD=1/' /etc/default/knockd
sudo bash -c 'cat > /etc/knockd.conf <<EOF
[options]
    UseSyslog

[openSSH]
    sequence    = 7000,8000,9000
    seq_timeout = 5
    command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    tcpflags    = syn

[closeSSH]
    sequence    = 9000,8000,7000
    seq_timeout = 5
    command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    tcpflags    = syn
EOF'
sudo iptables -A INPUT -p tcp --dport 22 -j DROP
sudo systemctl restart knockd

Run the script:

chmod +x configure_knockd.sh
sudo ./configure_knockd.sh

Conclusion

In this exercise, you configured and tested port knocking using knockd to secure SSH access. You created a port knocking sequence, validated access control, and explored the advantages and limitations of port knocking as a security mechanism.