brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
761e06caa74db6ed055cf2f01e0876af2a425c1a
oam/knowledge base/knockd.md
Michele Cereda d42f25f1be fix: typo
2023-05-24 19:56:38 +02:00

3.1 KiB
Raw Blame History

knockd

Port-knock server. It listens to all traffic on a network interface, looking for special knock sequences of port-hits. These ports do not need to be open -- knockd listens at the link-layer level, so it can even see traffic which is destined to a closed port.

When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access.

Table of contents

  1. TL;DR
  2. Configuration
  3. Further readings
  4. Sources

TL;DR

Server side:

# Install `knockd`.
sudo apt install 'knockd'
brew install 'knockd'
sudo dnf install 'knock-server'
sudo zypper install 'knockd'

# Configure the sequence and its effects.
sudo vim '/etc/knockd.conf'

# Enable the service.
sudo systemctl enable --now 'knockd.service'

# Keep an eye on the logs to see if the sequence is working.
sudo journalctl -xe -u 'knockd.service'

Client side:

# Install `knock`.
sudo apt install 'knockd'
brew install 'knockd'
sudo dnf install 'knock'
sudo zypper install 'knock'

# Send the command.
# If ':protocol' is not given, defaults to 'tcp'; defaults to 'udp' if the '-u'
# option is specified.
knock '123.456.789.012' '2222' '3333:udp' '4444'
knock -vu 'example.fqdn' '2222:tcp' '3333' '4444:tcp'

Configuration

knockd's default configuration file is /etc/knockd.conf.

Each knock/event begins with a title marker in the form [name], with it being the name of the event that will appear in the log.
[options] is a special marker used to define knockd's global options.

[options]
	UseSyslog
	Interface = enp0s2

# Different sequences for opening and closing.
[openSSH]
    sequence    = 7000,8000,9000
    seq_timeout = 10
    tcpflags    = syn
    command     = /usr/sbin/iptables -A INPUT -s %IP% -j ACCEPT
[closeSSH]
    sequence    = 9000,8000,7000
    seq_timeout = 10
    tcpflags    = syn
    command     = /usr/sbin/iptables -D INPUT -s %IP% -j ACCEPT

# Single sequence for opening, automatic close after 'cmd_timeout' seconds.
# If a sequence setting contains the `cmd_timeout` statement, the `stop_command`
# will be automatically issued after that amount of seconds.
[openClose7777]
	sequence      = 2222:udp,3333:tcp,4444:udp
	seq_timeout   = 15
	tcpflags      = syn
	cmd_timeout   = 10
	start_command = /usr/bin/firewall-cmd --add-port=7777/tcp --zone=public
	stop_command  = /usr/bin/firewall-cmd --remove-port=7777/tcp --zone=public

Sequences can also be defined in files.

Check the knockd(1) man page for all the information.

Further readings

Sources