knock:端口敲门服务
knock:端口敲门服务
端口敲门服务,即:knockd服务。该服务通过动态的添加iptables规则来隐藏系统开启的服务,使用自定义的一系列序列号来“敲门”,使系统开启需要访问的服务端口,才能对外访问。不使用时,再使用自定义的序列号来“关门”,将端口关闭,不对外监听。进一步提升了服务和系统的安全性。
1 安装knockd
apt install knockd
2 配置knockd服务
$ vim /etc/knockd.conf
[options]
# UseSyslog
LogFile = var/knock/knock.log
[openSSH]
# 定义敲门暗号顺序
sequence = 7000,8000,9000
# 设置超时时间,时间太小可能会出错
seq_timeout = 30
# 设置敲门成功后所执行的命令
# 在ubuntu系统iptables规则默认是禁止所有的规则,如果直接添加规则默认是在drop all规则之后,因此需要先删除drop all的规则再添加所要设置的规则,最后重新添加drop all的规则。
# command = /sbin/iptables -D INPUT -p tcp --dport 22 -j DROP && /sbin/iptables -A INPUT -s [允许远程的IP] -p tcp --dport 22 -j ACCEPT && /sbin/iptables -A INPUT -p tcp --dport 22 -j DROP
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 30
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[openHTTPS]
sequence = 12345,54321,24680,13579
seq_timeout = 5
command = /usr/local/sbin/knock_add -i -c INPUT -p tcp -d 443 -f %IP%
tcpflags = syn
3 启动knockd
systemctl start knockd
4 实例
-
配置knock如下:
$ cat /etc/knockd.conf [options] UseSyslog [openSSH] sequence = 1356, 6784, 3409 seq_timeout = 5 command = /sbin/iptables -I INPUT 1 -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn [closeSSH] sequence = 3409, 6784, 1356 seq_timeout = 5 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn
-
查看测试系统的SSH端口开启状态
┌──(kali㉿kali)-[~] └─$ nmap -A -p 22 192.168.50.71 -oA djinn Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 11:03 CST Nmap scan report for 192.168.50.71 Host is up (0.00071s latency). PORT STATE SERVICE VERSION 22/tcp closed ssh
-
使用
1356 6784 3409
暗号敲门┌──(kali㉿kali)-[~] └─$ knock 192.168.50.71 1356 6784 3409 ┌──(kali㉿kali)-[~] └─$ nmap -A -p 22 192.168.50.71 -oA djinn Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 11:03 CST Nmap scan report for 192.168.50.71 Host is up (0.00051s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 b8:cb:14:15:05:a0:24:43:d5:8e:6d:bd:97:c0:63:e9 (RSA) | 256 d5:70:dd:81:62:e4:fe:94:1b:65:bf:77:3a:e1:81:26 (ECDSA) |_ 256 6a:2a:ba:9c:ba:b2:2e:19:9f:5c:1c:87:74:0a:25:f0 (ED25519) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
-
使用
3409 6784 1356
暗号关门┌──(kali㉿kali)-[~] └─$ knock 192.168.50.71 3409 6784 1356 ┌──(kali㉿kali)-[~] └─$ nmap -A -p 22 192.168.50.71 -oA djinn Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 11:03 CST Nmap scan report for 192.168.50.71 Host is up (0.00028s latency). PORT STATE SERVICE VERSION 22/tcp closed ssh