knock:端口敲门服务

knock:端口敲门服务

端口敲门服务,即:knockd服务。该服务通过动态的添加iptables规则来隐藏系统开启的服务,使用自定义的一系列序列号来“敲门”,使系统开启需要访问的服务端口,才能对外访问。不使用时,再使用自定义的序列号来“关门”,将端口关闭,不对外监听。进一步提升了服务和系统的安全性。

1 安装knockd

apt install knockd

2 配置knockd服务

$ vim /etc/knockd.conf
[options]
        # UseSyslog
        LogFile = var/knock/knock.log

[openSSH]
        # 定义敲门暗号顺序
        sequence    = 7000,8000,9000
        # 设置超时时间,时间太小可能会出错
        seq_timeout = 30
        # 设置敲门成功后所执行的命令
     # 在ubuntu系统iptables规则默认是禁止所有的规则,如果直接添加规则默认是在drop all规则之后,因此需要先删除drop all的规则再添加所要设置的规则,最后重新添加drop all的规则。
     # command = /sbin/iptables -D INPUT -p tcp --dport 22 -j DROP && /sbin/iptables -A INPUT -s [允许远程的IP] -p tcp --dport 22 -j ACCEPT && /sbin/iptables -A INPUT -p tcp --dport 22 -j DROP
        command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn

[closeSSH]
        sequence    = 9000,8000,7000
        seq_timeout = 30
        command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn

[openHTTPS]
        sequence    = 12345,54321,24680,13579
        seq_timeout = 5
        command     = /usr/local/sbin/knock_add -i -c INPUT -p tcp -d 443 -f %IP%
        tcpflags    = syn

3 启动knockd

systemctl start knockd

4 实例

  1. 配置knock如下:

    $ cat /etc/knockd.conf 
    [options]
            UseSyslog
    
    [openSSH]
            sequence    = 1356, 6784, 3409
            seq_timeout = 5
            command     = /sbin/iptables -I INPUT 1 -s %IP% -p tcp --dport 22 -j ACCEPT
            tcpflags    = syn
    
    [closeSSH]
            sequence    = 3409, 6784, 1356
            seq_timeout = 5
            command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
            tcpflags    = syn
    
  2. 查看测试系统的SSH端口开启状态

    ┌──(kali㉿kali)-[~]
    └─$ nmap -A -p 22 192.168.50.71 -oA djinn   
    Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 11:03 CST
    Nmap scan report for 192.168.50.71
    Host is up (0.00071s latency).
    
    PORT   STATE  SERVICE VERSION
    22/tcp closed ssh
    
  3. 使用1356 6784 3409暗号敲门

    ┌──(kali㉿kali)-[~]
    └─$ knock 192.168.50.71 1356 6784 3409
    ┌──(kali㉿kali)-[~]
    └─$ nmap -A -p 22 192.168.50.71 -oA djinn
    Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 11:03 CST
    Nmap scan report for 192.168.50.71
    Host is up (0.00051s latency).
    
    PORT   STATE SERVICE VERSION
    22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   2048 b8:cb:14:15:05:a0:24:43:d5:8e:6d:bd:97:c0:63:e9 (RSA)
    |   256 d5:70:dd:81:62:e4:fe:94:1b:65:bf:77:3a:e1:81:26 (ECDSA)
    |_  256 6a:2a:ba:9c:ba:b2:2e:19:9f:5c:1c:87:74:0a:25:f0 (ED25519)
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    
  4. 使用3409 6784 1356 暗号关门

    ┌──(kali㉿kali)-[~]
    └─$ knock 192.168.50.71 3409 6784 1356
    ┌──(kali㉿kali)-[~]
    └─$ nmap -A -p 22 192.168.50.71 -oA djinn
    Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 11:03 CST
    Nmap scan report for 192.168.50.71
    Host is up (0.00028s latency).
    
    PORT   STATE  SERVICE VERSION
    22/tcp closed ssh
    
posted @ 2022-03-28 11:12  f_carey  阅读(3238)  评论(7编辑  收藏  举报