One: Device information
Servers to protect: ubuntu14.04 192.168.1.38
SSH test machine: kali2.0 192.168.1.47
Two: Configuration process
1. First scan the port status of a server that is not KNOCKD configured:
The server opens the SSH port
2. Download and configure the KNOCKD on the server (192.168.1.38)
1) Install KNOCKD
#apt-get Install update
#apt-get Install Build_essential-y
#apt-get Install Knockd-y
2) Configure the KNOCKD service:
2.1 Configure the/etc/knockd.conf.
[Options]
#UseSyslog
LogFile =/knock.log//can customize the output location of the log and the file name
[OpenSSH]
sequence = 7000,8000,9000 &nbs P //define the sequence number, which is the default, or you can modify the
Seq_timeout = //Setting the time-out is too small can go wrong
command = /sbin/ Iptables -I input-s 192.168.1.47 -P TCP--dport 22-j ACCEPT //-i life Order is to insert the rule to the front and take effect first to prevent all ports from being filtered to eat the rule
tcpflags = syn
[Closessh]
sequence = 9000,8000,7000//define closing sequence number, corresponding to open door, reverse order
Seq_timeout = 30
Command =/sbin/iptables- d input-s 192.168.1.47 -P TCP--dport 22-j ACCEPT//ssh after use, then "protect" the 22 port.
tcpflags = Syn
2.2 Configure/ETC/DEFAULT/KNOCKD, modify start_knockd=1.
################################################
#
# KNOCKD ' s default file, for Generic sys config
#
################################################
# control If we start KNOCKD at init or not
# 1 = Start
# anything else = don ' t start
#
# edit/etc/knockd.conf before enabling
Start_knockd=1
# Command line Options
#KNOCKD_OPTS = "-I eth1"
2.3 Start KNOCKD.
#service KNOCKD Start
Restart KNOCKD
#service KNOCKD Restart
2.4 Adding the appropriate iptables rule
Ensure that the server can talk to itself through the local host interface:
#iptables-A input-s 127.0.0.0/8-j ACCEPT
In this test, all traffic to the server is blocked:
#iptables-A input-j DROP
To view the add to Iptables rule:
# IPTABLES-NVL
At this time again with NMAP scan will not see the SSH port:
3. Test KNOCKD Service
1) Log in to the server using SSH directly on the Kali test machine:
#ssh [email protected]
From the above, this is not a normal login
2) Use the 7000/8000/9000 queue number to knock on the door:
#for x in 7000 8000 9000; Do NMAP-PN--host_timeout 201--max-retries 0-p $x 192.168.1.38; Done
3) test again if you can log in at this time:
#ssh [email protected]
As can be seen from the above, this is a successful login
At this point the Iptables rule on the server is changed:
When the specified test machine is finished using the SSH service, the port can be "protected" again by closing the operation accordingly.
4) Close with 9000/8000/7000 queue number
For x in 9000 8000 7000; Do NMAP-PN--host_timeout 201--max-retries 0-p $x 192.168.1.38; Done
At this point the server's iptables rule reverts to:
SSH login is not possible at this time, it is necessary to open the door.
Iii. Summary
in the practical application, we can use this method to make the sensitive server achieve hidden effect, improve the security of the system! Welcome to add qq:729608240 AC
Linux Security Configuration-hides the SSH service from the Internet (port collisions)