惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Full Disclosure
WordPress大学
WordPress大学
小众软件
小众软件
Cloudbric
Cloudbric
AWS News Blog
AWS News Blog
腾讯CDC
量子位
人人都是产品经理
人人都是产品经理
大猫的无限游戏
大猫的无限游戏
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
V
Vulnerabilities – Threatpost
Scott Helme
Scott Helme
Hugging Face - Blog
Hugging Face - Blog
博客园_首页
C
CXSECURITY Database RSS Feed - CXSecurity.com
The Hacker News
The Hacker News
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
IT之家
IT之家
Jina AI
Jina AI
Attack and Defense Labs
Attack and Defense Labs
S
SegmentFault 最新的问题
Simon Willison's Weblog
Simon Willison's Weblog
The Cloudflare Blog
阮一峰的网络日志
阮一峰的网络日志
T
Tailwind CSS Blog
Last Week in AI
Last Week in AI
博客园 - 【当耐特】
Google Online Security Blog
Google Online Security Blog
美团技术团队
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
V
Visual Studio Blog
罗磊的独立博客
L
LINUX DO - 最新话题
博客园 - Franky
博客园 - 叶小钗
Apple Machine Learning Research
Apple Machine Learning Research
The Last Watchdog
The Last Watchdog
J
Java Code Geeks
AI
AI
C
Cisco Blogs
酷 壳 – CoolShell
酷 壳 – CoolShell
C
Cyber Attacks, Cyber Crime and Cyber Security
Cisco Talos Blog
Cisco Talos Blog
博客园 - 三生石上(FineUI控件)
雷峰网
雷峰网
Help Net Security
Help Net Security
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
云风的 BLOG
云风的 BLOG
I
Intezer
S
Securelist

Ittavern.com

Wimage - Hosting Open-Source Image Uploader with Podman and external S3 Storage Switching from Hugo to picopaper Encryption using SSH Keys with age in Linux ETag in nginx - Simple Resource Caching Sending nginx Logs to Loki with Grafana Alloy How to: Cisco ISE backup to SFTP repository with public key authentication Dummy IP & MAC Addresses for Documentation & Sanitization Deploying ISSO Commenting System for Static Content using Docker Generate a Vanity v3 Hidden Service Onion Address with mkp224o ssh-audit Primer - Audit your SSH Server mtr - More Detailed Traceroute - Network Troubleshooting My Personal Backup Strategy - August 2024 iperf3 - User Authentication with Password and RSA Public Keypair Adding a trash can to Linux with trash-cli Bandwidth Measurement using netcat on Linux Getting started with rsync - Comprehensive Guide Cron Jobs on Linux - Comprehensive Guide with Examples SSH Server Hardening Guide v2 Getting started with rclone - Data transmission Getting started with dig - DNS troubleshooting Getting started with Fail2Ban on Linux Getting started with netcat on Linux with examples URL explained - The Fundamentals Troubleshooting Asking The Right Questions Create tmux layouts using bash scripts Getting started with tcpdump - Ittavern.com Curl on Linux - Reference Guide Getting started with nmap scripts My Offsite Backup - March 2023 Getting started with iperf3 - Network Troubleshooting ICMP echo requests on Linux and Windows - Reference Guide Simulate an unreliable network connection with tc and netem on Linux Detecting Rogue DHCP Server - Ittavern.com Basics of the Linux Bash Command History with Examples Getting started with GNU screen - Beginners Guide Basics of Power over Ethernet (PoE) Difference between RSS and Atom SSH Troubleshooting Guide - Ittavern.com Backup Guide - how to secure crucial data SSH - run script or command at login Linux - unmount a busy target safely Visual guide to SSH tunneling and port forwarding Guide to Wireshark display filters Online Security Guide - Ittavern.com My IT EDC tool kit v2212 10 prompts - 1000 AI generated images - openAI Dall-E SSH - How to use public key authentication on Linux Ways to support open-source projects Getting started with nmap - Ittavern.com nginx - simple and native authentication function Linux - How to work with complex commands EICAR test file - riskless method to test your antivirus and firewall solution Linux - connect to a serial port with screen Podman / Docker - expose port only to the localhost of the host machine Tmux - reload .tmux.conf configuration file My use cases for CyberChef Nginx - simple permanent or temporary redirects Getting started with tmux - Ittavern.com Tmux - synchronize the input of all panes within a window Nginx - check your public IP CyberChef - How to remove empty lines
Port Knocking with knockd and Linux - Server Hardening
2023-11-12 · via Ittavern.com

Port knocking is like a secret handshake or magic word between client and server. It can be used in various ways, but most commonly as a security feature to deny all contact to a specific service - like SSH - and only allow connections if the client used the correct port knocking sequence. But it is not limited to it and can used to run different commands, too. In this article, I've decided to use knockd.

It works like this:
knockd server checks logs for specific sequence/ pattern (e.x. TCP Syn Packets of 3 specific ports)
knockd client runs specific sequence against server (e.x. to open up SSH access over the FW)
knockd server recognises sequence and runs a specified command (e.x. to open access via SSH for a specific IP)

Advantages:

  • adds another security layer (e.x. gainst automated attacks and information gathering)
  • could run commands in a secure way for third parties

Disadvantages:

  • limited compatibility/ availability (clients and servers (like AS400 etc)) + on third party machines not possible
  • knocking sequence could be captured (on client or network traffic)
  • additional work on network firewalls and IPS solution requiered, since the knocking ports must be reachable + knocking could be interpreted as a (malicious) network/port scans
  • additional software/configuration on client needed
  • unreliable on certain networks as high latency and packet loss can interfere with the knocking process/sequence
  • complexity might require additional user training
  • make it more difficult to use automation services like Ansible
  • if the knocking listener service dies or is misconfigured, access could impossible without further preperation (no long term experience)
  • because of the reasons above, troubleshooting is a pain!

My setup

Linux Ubuntu 22.04 LTS as Client and Server, using knockd as a port knocking service, iptables as firewall, and my goal is to secure my SSH access.

knockd Configuration - Server #

Install the service with sudo apt install knockd. The service is not running after installation, but let us check the configuration before we start it.

The first configuration file can be found here /etc/knockd.conf:

[options]
        UseSyslog

[openSSH]
        sequence    = 7000,8000,9000
        seq_timeout = 5
        command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn

[closeSSH]
        sequence    = 9000,8000,7000
        seq_timeout = 5
        command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn

[openHTTPS]
        sequence    = 12345,54321,24680,13579
        seq_timeout = 5
        command     = /usr/local/sbin/knock_add -i -c INPUT -p tcp -d 443 -f %IP%
        tcpflags    = syn

Make sure to change the sequences since they are known and, therefore, not secure. For this article, I am going to remove the [openHTTPS] section as it is not needed for now.

The sequence is a number of ports - 3 TCP ports per default, but you can change the number of ports and the protocol to UDP. In this article, I'll just use the default.

This is the new configuration file:

[options]
        UseSyslog

[openSSH]
        sequence    = 22222,33333,44444
        seq_timeout = 5
        command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn

[closeSSH]
        sequence    = 44444,33333,22222
        seq_timeout = 5
        command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn
Let me explain the command in [openSSH]:
/sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
/sbin/iptables - run iptables
-A INPUT - append rules to the INPUT chain (last position), replace with -I to >insert it to the chain into the first position
-s %IP% - specifies the source with the knockd variable of the IP of the 'knocker'. You can change it to a specific IP, network, or all source IPs
-p tcp - choose TCP as a protocol for SSH
--dport 22 - specify the destination port (SSH)
-j ACCEPT - tells iptables what to do with this packet

The second command in closeSSH deletes the previous rule with -D and the rule specifications.

The second configuration file can be found here /etc/default/knockd - in which we 'enable' knockd and specify the interface that we are going to use.

Open it in your favorite text editor, change the value of START_KNOCKD from 0 to 1 to enable knockd.

In the next option, you can specify the interface on which knockd is listening. Uncomment KNOCKD_OPTS and change eth1 with the interface of your choice. You can use ip -br a to find the name:

$ ip -br -c a
lo               UNKNOWN        127.0.0.1/8 ::1/128 
eth0             UP             111.222.111.222/32 metric 100 
ens10            UP             10.20.10.7/32

Starting knockd - Server #

So, after the configuration, let us start knockd.

sudo systemctl start knockd and sudo systemctl enable knockd to start the service and make sure that it autostarts after rebooting.

Use sudo systemctl status knockd to ensure the service is running.

The logs can be found in the syslog of the server:

user@test-ubu-01:/var/log$ sudo tail -f syslog
[sudo] password for user: 
[...]
Nov 12 15:20:24 test-ubu-01 knockd: 146.70.225.159: openSSH: Stage 1
Nov 12 15:20:24 test-ubu-01 knockd: 146.70.225.159: openSSH: Stage 2
Nov 12 15:20:24 test-ubu-01 knockd: 146.70.225.159: openSSH: Stage 3
Nov 12 15:20:24 test-ubu-01 knockd: 146.70.225.159: openSSH: OPEN SESAME
Nov 12 15:20:24 test-ubu-01 knockd: openSSH: running command: /sbin/iptables -A INPUT -s 146.70.225.159 -p tcp --dport 22 -j ACCEPT

You can check the firewall rules with sudo iptables --list:

sudo iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  146.70.225.159       anywhere             tcp dpt:ssh

Important: Make sure that you remove all 'allow-all' accept rules for SSH and keep one session open so you don't get locked out.

knockd - Client #

Install knockd on the client, and use the knock command:
knock -d 5 -v 195.201.49.99 22222 33333 44444
-d 5 - add a delay of 5 milliseconds between the port hits. It can prevent you from getting hit by various security solutions that block network scans
-v - increase the verbosity
195.201.49.99 - destination IP
22222 33333 44444 - the sequence, TCP is the default, use -u to change all ports to UDP, or add :udp or :tcp directly behind the port to specify the protocol per port
more information can be found via man knock

As this is the sequence for [openSSH], the logs and rule set should look like the examples in the previous section. To remove the rule, run the command with the sequence of the [closeSSH] section.

As a side note: I bet you could do the knocking part without any client and use netcat, nmap or some other tool, but I have not tested it yet.

Troubleshooting

Just a small list of tips in case something is not working:

  • make sure there is no other firewall ruleset active, UFW, for example
    • make sure that the order of rules is correct
  • check the logs on the server /var/log/syslog
  • make sure the client can reach the necessary ports of the knocking itself (network firewall, IPS, etc)
  • make sure knockd is enabled, listening to the correct interface and is running

Conclusion

Port knocking is an interesting idea, but I don't plan to implement it anywhere. I've got some ideas for some niche cases, but that's it.

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。