Copyright (c) 2004, Judd Vinet jvinet@zeroflux.org.
Modified by LuisPa, fixed compilation warnings, new version of the ./src/knock_helper_ipt.sh, systemd files, updated documentation.
This is a port-knocking server/client. Port-knocking is a method where a server can sniff one of its interfaces for a special "knock" sequence of port-hits. When detected, it will run a specified event bound to that port knock sequence. These port-hits need not be on open ports, since we use libpcap to sniff the raw interface traffic.
If you have a different version in your system, recommendation is to remove it, i.e.:
apt remove knockd
To build knockd, make sure you have libpcap and the autoconf tools installed. Then run the following:
autoreconf -fi
./configure --prefix=/usr/local
make
sudo make install
Run it manually
/usr/local/sbin/knockd -i ppp0 -d -c /etc/knockd.conf
If you have systemd:
The example below could be used to run a strict (DENY policy) firewall that can only be accessed after a successful knock sequence.
- Client sends four TCP SYN packets to Server, at the following ports: 38281, 29374, 4921, 54918
- Server detects this and runs an iptables command to open port 22 to Client.
- Client connects to Server via SSH and does whatever it needs to do.
- Client sends four more TCP SYN packets to Server: 37281, 8529, 40127, 10100
- Server detects this and runs another iptables command to close port 22 to Client.
See ./knockd.conf for examples.
Check iptables
iptables -n -L <NetFilter chain> (INPUT|FORWARD|OUTPUT)
The accompanying knock client is very basic. If you want to do more advanced knocks (eg, setting specific tcp flags) then you should take look at more powerful clients.
Here are some other implementations of port-knocking: