Hetzner - DokuWiki

Knock Knock/en

Okay, I'm posting a brand-new how-to for this thing.

I think iptables kernel module is pretty much clear, right? If it isn't, go ahead and do some research first on iptables and learn what they are all about.

Install iptables – now we can get going.

iptables -P INPUT ACCEPT

iptables -F
iptables -X

iptables -N open
iptables -N interfaces

iptables -A INPUT -p icmp -j ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -j interfaces
iptables -A INPUT -j open

iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

iptables -P INPUT DROP

iptables -P FORWARD DROP


iptables -A interfaces -i lo -j ACCEPT

iptables -A open -p tcp --dport 80 -j ACCEPT

By doing that, we first delete the firewall rules etc. just in case there are any there and set up ours instead.

Everything that follows should be added to open, such as the ssh command. For example:

iptables -A open -p tcp -m tcp --dport 3690 -j ACCEPT

The basic framework for iptables is now there. I don't know exactly how it is with other distributions, but make sure that iptables is automatically started when you boot your computer and that everything gets saved during a shutdown! This way, the saved state can be loaded again during the boot process.

Now we need the knockd, which is probably included in almost all distributions. But if it isn't, go here: http://www.zeroflux.org/knock/

Now we can do some configuring:

        logfile = /var/log/knockd.log

        sequence      = 5555,7777,9999
        seq_timeout   = 15
        tcpflags      = syn
        start_command = /sbin/iptables -A open -s %IP% -p tcp --dport 22 -j ACCEPT
        cmd_timeout   = 10
        stop_command  = /sbin/iptables -D open -s %IP% -p tcp --dport 22 -j ACCEPT

The numbers that are assigned to "sequence" are the ports that need to be knocked on. In this example, if you knock on ports 5555, 7777, and 9999, the SSH port 22 will be opened for your IP address for a few seconds. After a few seconds, it will be closed again.

You can make your knock more secure with a DynDNS address so that it will only open for one specific IP. (It's a good idea to test this all locally first. Or you need to be very sure that it works before your end your SSH session; otherwise, you won't be able to get back in.)

knock <host> 5555 7777 9999
ssh user@host

That's the final result then.

Naturally, you can make the sshd more secure yourself by using keys and by prohibiting root logins (which is really standard…), empty passwords, and so on.

This entry was transferred from Hetznerforum and was written by idle.

© 2018. Hetzner Online GmbH. Alle Rechte vorbehalten.