knock：端口敲门服务

knock：端口敲门服务

端口敲门服务，即：knockd服务。该服务通过动态的添加iptables规则来隐藏系统开启的服务，使用自定义的一系列序列号来“敲门”，使系统开启需要访问的服务端口，才能对外访问。不使用时，再使用自定义的序列号来“关门”，将端口关闭，不对外监听。进一步提升了服务和系统的安全性。

1 安装knockd

apt install knockd

2 配置knockd服务

$ vim /etc/knockd.conf
[options]
        # UseSyslog
        LogFile = var/knock/knock.log

[openSSH]
        # 定义敲门暗号顺序
        sequence    = 7000,8000,9000
        # 设置超时时间，时间太小可能会出错
        seq_timeout = 30
        # 设置敲门成功后所执行的命令
　　　　 # 在ubuntu系统iptables规则默认是禁止所有的规则，如果直接添加规则默认是在drop all规则之后，因此需要先删除drop all的规则再添加所要设置的规则，最后重新添加drop all的规则。
　　　　 # command = /sbin/iptables -D INPUT -p tcp --dport 22 -j DROP && /sbin/iptables -A INPUT -s [允许远程的IP] -p tcp --dport 22 -j ACCEPT && /sbin/iptables -A INPUT -p tcp --dport 22 -j DROP
        command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn

[closeSSH]
        sequence    = 9000,8000,7000
        seq_timeout = 30
        command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn

[openHTTPS]
        sequence    = 12345,54321,24680,13579
        seq_timeout = 5
        command     = /usr/local/sbin/knock_add -i -c INPUT -p tcp -d 443 -f %IP%
        tcpflags    = syn

3 启动knockd

systemctl start knockd

4 实例

1. 配置knock如下：

   $ cat /etc/knockd.conf 
   [options]
           UseSyslog
   
   [openSSH]
           sequence    = 1356, 6784, 3409
           seq_timeout = 5
           command     = /sbin/iptables -I INPUT 1 -s %IP% -p tcp --dport 22 -j ACCEPT
           tcpflags    = syn
   
   [closeSSH]
           sequence    = 3409, 6784, 1356
           seq_timeout = 5
           command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
           tcpflags    = syn
   

2. 查看测试系统的SSH端口开启状态

   ┌──(kali㉿kali)-[~]
   └─$ nmap -A -p 22 192.168.50.71 -oA djinn   
   Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 11:03 CST
   Nmap scan report for 192.168.50.71
   Host is up (0.00071s latency).
   
   PORT   STATE  SERVICE VERSION
   22/tcp closed ssh
   

3. 使用1356 6784 3409暗号敲门

   ┌──(kali㉿kali)-[~]
   └─$ knock 192.168.50.71 1356 6784 3409
   ┌──(kali㉿kali)-[~]
   └─$ nmap -A -p 22 192.168.50.71 -oA djinn
   Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 11:03 CST
   Nmap scan report for 192.168.50.71
   Host is up (0.00051s latency).
   
   PORT   STATE SERVICE VERSION
   22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
   | ssh-hostkey: 
   |   2048 b8:cb:14:15:05:a0:24:43:d5:8e:6d:bd:97:c0:63:e9 (RSA)
   |   256 d5:70:dd:81:62:e4:fe:94:1b:65:bf:77:3a:e1:81:26 (ECDSA)
   |_  256 6a:2a:ba:9c:ba:b2:2e:19:9f:5c:1c:87:74:0a:25:f0 (ED25519)
   Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
   

4. 使用3409 6784 1356 暗号关门

   ┌──(kali㉿kali)-[~]
   └─$ knock 192.168.50.71 3409 6784 1356
   ┌──(kali㉿kali)-[~]
   └─$ nmap -A -p 22 192.168.50.71 -oA djinn
   Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 11:03 CST
   Nmap scan report for 192.168.50.71
   Host is up (0.00028s latency).
   
   PORT   STATE  SERVICE VERSION
   22/tcp closed ssh