Port knocking is a way to secure a server by closing firewall ports—even those you know will be used. Those ports are opened on demand if—and only if—the connection request provides the secret knock.
端口敲门是一种通过关闭防火墙端口(甚至您将使用的防火墙端口)来保护服务器安全的方法。 当且仅在连接请求提供了秘密敲门后,这些端口才按需打开。
港口敲门是“秘密敲门” (Port Knocking Is a “Secret Knock”)
In the 1920s, when prohibition was in full swing, if you wanted to get into a speakeasy, you had to know the secret knock and tap it out correctly to get inside.
在1920年代,当禁令如火如荼地进行时,如果您想进入说话状态,就必须知道秘密的敲门声,并正确地敲打它才能进入内部。
Port knocking is a modern equivalent. If you want people to have access to services on your computer but don’t want to open your firewall to the internet, you can use port knocking. It allows you to close the ports on your firewall that allow incoming connections and have them open automatically when a prearranged pattern of connection attempts is made. The sequence of connection attempts acts as the secret knock. Another secret knock closes the port.
港口敲门是现代的等同物。 如果您希望人们可以访问您计算机上的服务,但又不想将防火墙打开到Internet,则可以使用端口断开功能。 它允许您关闭防火墙上允许传入连接的端口,并在进行预先安排的连接尝试方式时自动打开它们。 连接尝试的顺序充当秘密敲门。 另一个秘密的敲门声关闭了港口。
Port knocking is something of a novelty, but it’s important to know it’s an example of security through obscurity, and that concept is fundamentally flawed. The secret of how to access a system is safe because only those in a specific group know it. But once that secret is out—either because it’s revealed, observed, guessed, or worked out—your security is void. You’re better off securing your server in other, stronger ways, like requiring key-based logins for an SSH server.
敲端口是一种新颖的事物,但重要的是要知道它是通过默默无闻来实现安全的一个例子,并且该概念从根本上来说是有缺陷的。 安全访问系统的秘密是安全的,因为只有特定组中的人才能知道它。 但是,一旦发现了这个秘密(无论是因为它被发现,观察,猜测还是解决了),您的安全性就会失效。 最好以其他更强大的方式保护服务器的安全,例如要求SSH服务器基于密钥的登录。
The most robust approaches to cybersecurity are multilayered, so, perhaps port knocking should be one of those layers. The more layers, the better, right? However, you could argue that port knocking doesn’t add much (if anything) to a properly hardened, secure system.
网络安全最强大的方法是多层的,因此,也许端口敲门应该是其中之一。 层数越多越好,对吗? 但是,您可能会争辩说,端口爆裂并不会给经过适当加固的安全系统带来太多(如果有的话)。
Cybersecurity is a vast and complicated topic, but you shouldn’t use port knocking as your only form of defense.
网络安全是一个广泛而复杂的主题,但您不应将端口爆震作为唯一的防御方式。
安装敲 (Installing knockd)
To demonstrate port knocking, we’re going to use it to control port 22, which is the SSH port. We’ll use a tool called knockd. Use apt-get to install this package onto your system if you use Ubuntu or another Debian-based distribution. On other Linux distributions, use your Linux distribution’s package management tool, instead.
为了演示端口敲除,我们将使用它来控制端口22,即SSH端口。 我们将使用一个称为tickd的工具。 如果使用Ubuntu或其他基于Debian的发行版,请使用apt-get将此软件包安装到系统上。 在其他Linux发行版上,请改用Linux发行版的程序包管理工具。
Type the following:
输入以下内容:
sudo apt-get install knockd
You probably already have the iptables firewall installed on your system, but you might need to install the iptables-persistent package. It handles the automatic loading of saved iptable rules.
您可能已经在系统上安装了iptables防火墙,但是可能需要安装iptables-persistent软件包。 它处理已保存的iptable规则的自动加载。
Type the following to install it:
输入以下内容进行安装:
sudo apt-get install iptables-persistent
When the IPV4 configuration screen appears, press the space bar to accept the “Yes” option.
出现IPV4配置屏幕时,按空格键以接受“是”选项。
Press the space bar again in IPv6 configuration screen to accept the “Yes” option and move on.
在IPv6配置屏幕中再次按空格键以接受“是”选项并继续。
The following command tells iptables to allow established and ongoing connections to continue. We’ll now issue another command to close the SSH port.
以下命令告诉iptables允许建立的连接和正在进行的连接继续。 现在,我们将发出另一个命令来关闭SSH端口。
If someone is connected by SSH when we issue this command, we don’t want them to be cut off:
如果在发出此命令时有人通过SSH连接,我们不希望他们被切断:
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
This command adds a rule to the firewall, that says:
此命令向防火墙添加一条规则,该规则为:
-A: Append the rule to the firewall rules table. That is, add it to the bottom.
-A :将规则追加到防火墙规则表。 也就是说,将其添加到底部。
INPUT: This is a rule about incoming connections.
输入:这是有关传入连接的规则。
-m conntrack: Firewall rules act upon network traffic (packets) that match criteria in the rule. The
-mparameter causesiptablesto use extra packet matching modules—in this case, the one calledconntrackworks with the network connection tracking capabilities of the kernel.-m conntrack :防火墙规则对符合规则中条件的网络流量(数据包)起作用。
-m参数使iptables使用额外的数据包匹配模块-在这种情况下,称为conntrack模块与内核的网络连接跟踪功能一起使用。–cstate ESTABLISHED,RELATED: This specifies the type of connection to which the rule will apply, namely ESTABLISHED and RELATED connections. An established connection is one that’s already in progress. A related connection is one that’s made due to an action from an established connection. Perhaps someone who is connected wants to download a file; that might happen over a new connection initiated by the host.
-cstate ESTABLISHED,RELATED :这指定规则将应用到的连接类型,即ESTABLISHED和RELATED连接。 建立的连接已经在进行中。 相关的连接是由于已建立的连接所进行的操作而建立的。 也许某个连接的人想要下载文件; 这可能是由主机启动的新连接引起的。
-j ACCEPT: If the traffic matches the rule, jump to the ACCEPT target in the firewall. In other words, the traffic is accepted and allowed to pass through the firewall.
-j ACCEPT :如果流量符合规则,请跳到防火墙中的ACCEPT目标。 换句话说,流量被接受并被允许通过防火墙。
Now we can issue the command to close the port:
现在我们可以发出关闭端口的命令:
sudo iptables -A INPUT -p tcp --dport 22 -j REJECT
This command adds a rule to the firewall, that says:
此命令向防火墙添加一条规则,该规则为:
-A: Append the rule to the firewall rules table, i.e., add it to the bottom.
-A :将规则添加到防火墙规则表,即将其添加到底部。
INPUT: This rule is about incoming connections.
输入:此规则与传入连接有关。
-p tcp: This rule applies to traffic that uses the Transmission Control Protocol.
-p tcp :此规则适用于使用传输控制协议的流量。
–dport 22: This rule specifically applies to TCP traffic that targets port 22 (the SSH port).
–dport 22 :此规则专门适用于以端口22(SSH端口)为目标的TCP通信。
-j REJECT: If the traffic matches the rule, jump to the REJECT target in the firewall. So, if the traffic is rejected, it’s not permitted through the firewall.
-j REJECT :如果流量符合规则,请跳到防火墙中的REJECT目标。 因此,如果流量被拒绝,则不允许通过防火墙。
We must start the netfilter-persistent daemon. We can do so with this command:
我们必须启动netfilter-persistent守护程序。 我们可以使用以下命令:
sudo systemctl start netfilter-persistent
We want netfilter-persistent to go through a save and reload cycle, so it loads and controls the iptable rules.
我们希望netfilter-persistent经历一个保存和重新加载周期,以便它加载和控制iptable规则。
Type the following commands:
键入以下命令:
sudo netfilter-persistent save
sudo netfilter-persistent reload
You’ve now installed the utilities, and the SSH port is closed (hopefully, without terminating anyone’s connection). Now, it’s time to configure the secret knock.
现在,您已经安装了实用程序,并且SSH端口已关闭(希望它没有终止任何人的连接)。 现在,是时候配置秘密敲门了。
配置敲 (Configuring knockd)
There are two files you edit to configure knockd. The first is the following knockd configuration file:
您可以编辑两个文件来配置knockd 。 首先是以下knockd配置文件:
sudo gedit /etc/knockd.conf
The gedit editor opens with the knockd configuration file loaded.
将打开gedit编辑器,并加载已knockd配置文件。
We’ll edit this file to suit our needs. The sections we’re interested in are “openSSH” and “closeSSH.” The following four entries are in each section:
我们将编辑此文件以适合我们的需求。 我们感兴趣的部分是“ openSSH”和“ closeSSH”。 每个部分中包含以下四个条目:
sequence: The sequence of ports someone must access to open or close port 22. The default ports are 7000, 8000, and 9000 to open it, and 9000, 8000, and 7000 to close it. You can change these or add more ports to the list. For our purposes, we’ll stick with the defaults.
sequence :某人必须访问以打开或关闭端口22的端口顺序。默认端口是7000、8000和9000才能打开,而9000、8000和7000才能关闭。 您可以更改这些端口或将更多端口添加到列表。 为了我们的目的,我们将坚持使用默认值。
seq_timeout: The time period within which someone has to access the ports to trigger it to open or close.
seq_timeout :某人必须访问端口以触发其打开或关闭的时间段。
command: The command sent to the
iptablesfirewall when the open or close action is triggered. These commands either add a rule to the firewall (to open the port) or take it out (to close the port).command :触发打开或关闭操作时发送到
iptables防火墙的命令。 这些命令将规则添加到防火墙(以打开端口)或将其删除(以关闭端口)。tcpflags: The type of packet each port must receive in the secret sequence. A SYN (synchronize) packet is the first in a TCP connection request, called a three-way handshake.
tcpflags :每个端口必须按秘密顺序接收的数据包类型。 SYN(同步)数据包是TCP连接请求中的第一个数据包,称为三向握手。
The “openSSH” section can be read as “a TCP connection request must be made to ports 7000, 8000, and 9000—in that order and within 5 seconds—for the command to open port 22 to be sent to the firewall.”
“ openSSH”部分可以理解为“必须向端口7000、8000和9000发出TCP连接请求(此顺序必须在5秒钟之内),才能将打开端口22的命令发送到防火墙。”
The “closeSSH” section can be read as “a TCP connection request must be made to ports 9000, 8000, and 7000—in that order and within 5 seconds—for the command to close port 22 to be sent to the firewall.”
“ closeSSH”部分可以理解为“必须向端口9000、8000和7000发出TCP连接请求(以该顺序并在5秒钟之内),以便关闭端口22的命令才能发送到防火墙。”
防火墙规则 (The Firewall Rules)
The “command” entries in the openSSH and closeSSH sections remain the same, except for one parameter. This is how they’re comprised:
除了一个参数外,openSSH和closeSSH部分中的“命令”条目保持不变。 这是它们的组成方式:
-A: Append the rule to the bottom of the firewall rules list (for the openSSH command).
-A :将规则追加到防火墙规则列表的底部(对于openSSH命令)。
-D: Delete the command from the firewall rules list (for the closeSSH command).
-D :从防火墙规则列表中删除命令(对于closeSSH命令)。
INPUT: This rule is concerned with incoming network traffic.
输入:此规则与传入的网络流量有关。
-s %IP%: The IP address of the device requesting a connection.
-s%IP% :请求连接的设备的IP地址。
-p: Network protocol; in this case, it’s TCP.
-p :网络协议; 在这种情况下,它是TCP。
–dport: The destination port; in our example, it’s port 22.
–dport :目标端口; 在我们的示例中,端口为22。
-j ACCEPT: Jump to the accept target within the firewall. In other words, let the packet drop through the rest of the rules without acting on it.
-j ACCEPT :跳转到防火墙内的接受目标。 换句话说,让数据包通过其余规则丢弃而不对其执行操作。
敲开的配置文件 (The knockd Configuration File Edits)
The edits we’ll make to the file are highlighted in red below:
我们将对该文件进行的编辑在下面以红色突出显示:
We extend the “seq_timeout” to 15 seconds. This is generous, but if someone’s manually firing in connection requests, he might need this much time.
我们将“ seq_timeout”延长到15秒。 这很慷慨,但是如果有人手动触发连接请求,那么他可能需要很多时间。
In the “openSSH” section, we change the -A (append) option in the command to -I (insert). This command inserts a new firewall rule at the top of the firewall rule list. If you leave the -A option, it appends the firewall rule list and puts it at the bottom.
在“ openSSH”部分中,我们将命令中的-A (附加)选项更改为-I (插入)。 此命令在防火墙规则列表的顶部插入新的防火墙规则。 如果保留-A选项,它将附加防火墙规则列表并将其放在底部。
Incoming traffic is tested against each firewall rule in the list from the top down. We already have a rule that closes port 22. So, if incoming traffic is tested against that rule before it sees the rule that allows the traffic, the connection is refused; if it sees this new rule first, the connection is allowed.
根据从上到下的列表中的每个防火墙规则测试传入流量。 我们已经有一个关闭端口22的规则。因此,如果在看到允许流量的规则之前对照该规则对传入流量进行了测试,则连接将被拒绝;否则,该连接将被拒绝。 如果它首先看到此新规则,则允许连接。
The close command removes the rule added by openSSH from the firewall rules. SSH traffic is once more handled by the pre-existing “port 22 is closed” rule.
close命令从防火墙规则中删除由openSSH添加的规则。 SSH流量再次由预先存在的“端口22已关闭”规则处理。
After you make these edits, save the configuration file.
完成这些编辑后,保存配置文件。
敲掉的控制文件 (The knockd Control File Edits)
The knockd control file is altogether simpler. Before we dive in and edit that, though, we need to know the internal name for our network connection; to find it, type this command:
knockd控制文件完全简单。 但是,在深入进行编辑之前,我们需要知道网络连接的内部名称。 要找到它,请键入以下命令:
ip addr
The connection this machine uses to research this article is called enp0s3. Make a note of the name of your connection.
该机器用于研究本文的连接称为enp0s3 。 记下您的连接的名称。
The following command edits the knockd control file:
以下命令编辑已knockd控制文件:
sudo gedit /etc/default/knockd
Here’s the knockd file in gedit.
这是gedit的已knockd文件。
The few edits we need to make are highlighted in red:
我们需要进行的一些编辑以红色突出显示:
We changed the “START_KNOCKD=” entry to from 0 to 1.
我们将“ START_KNOCKD =”条目从0更改为1。
We also removed the hash # from the start of the “KNOCKD_OPTS=” entry, and replaced “eth1” with the name of our network connection, enp0s3. Of course, if your network connection is eth1, you won’t change it.
我们还从“ KNOCKD_OPTS =”条目的开头删除了哈希号# ,并将“ eth1”替换为我们的网络连接名称enp0s3 。 当然,如果您的网络连接是eth1 ,则不会更改它。
证明在布丁里 (The Proof Is in the Pudding)
It’s time to see if this works. We’ll start the knockd daemon with this command:
现在该看看是否可行。 我们将使用以下命令启动knockd守护程序:
sudo systemctrl start knockd
Now, we’ll jump on another machine and try to connect. We installed the knockd tool on that computer, too, not because we want to set up port knocking, but because the knockd package provides another tool called knock. We’ll use this machine to fire in our secret sequence and do the knocking for us.
现在,我们将跳到另一台机器上并尝试进行连接。 我们也在该计算机上安装了被knockd工具,不是因为我们想要设置端口敲除,而是因为被knock软件包提供了另一种称为力knockd工具。 我们将使用这台机器按照我们的秘密顺序开火,并为我们敲门。
Use the following command to send your secret sequence of connection requests to the ports on the port knocking host computer with the IP address 192.168.4.24:
使用以下命令将连接请求的秘密序列发送到IP地址为192.168.4.24的敲主机计算机上的端口:
knock 192.168.4.24 7000 8000 9000 -d 500
This tells knock to target the computer at IP address 192.168.4.24 and fire a connection request to ports 7000, 8000, and 9000, in turn, with a -d (delay) of 500 milliseconds between them.
这告诉knock将计算机定位到IP地址192.168.4.24,然后向端口7000、8000和9000发出连接请求,它们之间的-d (延迟)为500毫秒。
A user called “dave” then makes an SSH request to 192.168.4.24:
然后,名为“ dave”的用户向192.168.4.24发出SSH请求:
ssh dave@192.168.4.24
His connection is accepted, he enters his password, and his remote session begins. His command prompt changes from dave@nostromo to dave@howtogeek. To log out of the remote computer, he types:
他的连接被接受,他输入密码,并且他的远程会话开始。 他的命令提示符从dave@nostromo更改为dave@howtogeek 。 要注销远程计算机,他输入:
exit
His command prompt returns to his local computer. He uses knock once more, and this time, it targets the ports in reverse order to close the SSH port on the remote computer.
他的命令提示符返回到他的本地计算机。 他再次使用knock ,这次,它以相反的顺序瞄准端口,以关闭远程计算机上的SSH端口。
knock 192.168.4.24 9000 8000 7000 -d 500
Admittedly, this wasn’t a particularly fruitful remote session, but it demonstrates the opening and closing of the port via port knocking and fits in a single screenshot.
诚然,这不是一个特别富有成果的远程会话,但是它通过端口敲门演示了端口的打开和关闭,并且仅显示在一个屏幕快照中。
So, what did this look like from the other side? The system administrator on the port knocking host uses the following command to view new entries that arrive in the system log:
那么,从另一端看,这是什么样的呢? 端口终止主机上的系统管理员使用以下命令来查看到达系统日志的新条目:
tail -f /var/log/syslog
- You see three openSSH entries. These are raised as each port is targeted by the remote knock utility. 您会看到三个openSSH条目。 当远程爆震实用程序将每个端口作为目标时,将引发这些错误。
When all three stages of the trigger sequence are met, an entry that says “OPEN SESAME,” is logged
当触发序列的所有三个阶段都满足时,记录为“ OPEN SESAME, ”的条目
The command to insert the rule into the
iptablesrules list is sent. It permits access via SSH on port 22 from the specific IP address of the PC that gave the correct secret knock (192.168.4.23).发送了将规则插入
iptables规则列表的命令。 它允许通过端口22上的SSH从提供正确密码提示(192.168.4.23)的PC的特定IP地址访问。- The user “dave” connects for a few seconds only, and then disconnects. 用户“ dave”仅连接几秒钟,然后断开连接。
- You see three closeSSH entries. These are raised as each port is targeted by the remote knock utility—it tells the port knocking host to close port 22. 您会看到三个closeSSH条目。 当远程敲门实用程序将每个端口作为目标时,这些值会升高—告诉端口敲门主机关闭端口22。
- After all three stages are triggered, we get the “OPEN SESAME” message again. The command is sent to the firewall to remove the rule. (Why not “CLOSE SESAME” when it’s closing the port? Who knows?) 在所有三个阶段都触发之后,我们再次收到“ OPEN SESAME”消息。 该命令将发送到防火墙以删除规则。 (为什么在关闭端口时不“ CLOSE SESAME”?谁知道?)
Now the only rule in the iptables rules list regarding port 22 is the one we typed at the beginning to close that port. So, port 22 is now closed again.
现在, iptables规则列表中关于端口22的唯一规则是我们在开始时键入的用于关闭该端口的规则。 因此,端口22现在再次关闭。
敲在头上 (Knock It on the Head)
That’s port knocking’s parlor trick. Treat it as a diversion and don’t do it in the real world. Or, if you must, don’t rely on it as your only form of security.
那是敲门的客厅把戏。 将其视为转移,不要在现实世界中使用。 或者,如果必须,请不要将其作为唯一的安全性形式。
翻译自: https://www.howtogeek.com/442733/how-to-use-port-knocking-on-linux-and-why-you-shouldnt/
