Implementing Firewall Protection via Iptables Port Knocking

Strengthening server security by leveraging port knocking techniques in conjunction with iptables firewall functionality.

This time, I’d like to share some tips on how to enhance server security by utilizing the technique of port knocking. Port knocking is a method for opening a specific port by sending packets to predetermined ports beforehand.

Q: What’s the purpose?

A: The objective is to thwart attacks from penetration testers who conduct port scanning to identify services that might be exploitable by them. If the penetration tester fails to knock on the previously designated ports in sequence, the protected port will remain inaccessible.

Q: Can you elaborate?

A: For instance, suppose we have an SSH service listening on port 22, while the penetration tester has a 0-day remote root exploit for OpenSSH. Therefore, our server’s security is at risk due to the open port 22. By employing the technique of port knocking, only those who know which ports to “hit” first can unlock and access port 22.

To clarify, I’ll provide an example from my previous thread about Lawang Sewu CTF (http://devilzc0de.org/forum/thread-20071.html). The second challenge involves port knocking.

This port knocking technique can be configured using the iptables firewall, which is typically already possessed by the Linux kernel on most Linux distributions.

On this occasion, I’ll share how to configure port knocking with iptables.

Disclaimer: By following this tutorial, the author have no responsibility for any errors or loss of remote access to the server.

VIDEO TUTORIAL : http://youtu.be/0zFQocf7C_0.

What you need for this tutorial:

  • Server & Client with Linux OS (in this tutorial, I’m using CentOS)
  • iptables (server firewall)
  • nmap (for scanning and knocking ports from the client)
  • Basic knowledge of iptables

Case Study:

I have a server with IP address 192.168.0.100, and I’m using SSH for remote management of that server. The default SSH port for remote access is 22. I want to close port 22 and only make it available when needed.

This is where we use the technique of port knocking, which I’ve already set up so that users need to send a TCP packet to, for example, ports 1111, then 2222, then 3333, and finally 4444 before port 22 (SSH) becomes accessible.

  • Server IP: 192.168.0.100.
  • OS: CentOS.
  • SSH Port: 22.
  • Port Knocking Scheme: TCP packet to ports 1111 => 2222 => 3333 => 4444 => Port 22 becomes accessible.

By default, the CentOS server’s firewall has already opened port 22 for SSH.

Port 22 open

So we need to reconfigure the iptables firewall. We can use the command iptables-save > iptables.rules to perform a dump/back up of the firewall rules.

Let’s take a look at the new firewall configuration that we just dumped, which is roughly as follows (for CentOS):

1-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
2-A INPUT -p icmp -j ACCEPT
3-A INPUT -i lo -j ACCEPT
4-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
5-A INPUT -j REJECT --reject-with icmp-host-prohibited
6-A FORWARD -j REJECT --reject-with icmp-host-prohibited

iptables dump config

Note the following firewall rules:

1-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

It appears that iptables allows access through port 22.

Let’s create an iptables rule according to our wishes in this case study, namely we want to close port 22 and only make it accessible when ports 1111, 2222, 3333, and 4444 receive a sequential TCP packet.

Copy the previous iptables.rules file to iptables-new.rules, then edit:

1cp iptables.rules iptables-new.rules
2vi iptables-new.rules

and edit it as shown below:

iptables port knocking rules

In other words, I opened port 80, then added a new firewall rule that dynamically opens port 22 for 15 seconds if ports 1111, 2222, 3333, and 4444 receive sequential TCP packets within a 5-second timeframe.

After it’s deemed okay, we restore the new firewall configuration using iptables-restore, then restart the iptables service.

1iptables-restore < iptables-new.rules
2service iptables save
3service iptables restart

Then, to ensure the new rules are running, use the command:

1iptables -L -n

iptables rules list

Now that’s done, let’s try checking port 22 on our server from our computer using nmap, and it will show that the port is closed by the firewall.

1nmap -Pn 192.168.0.100 -p22

nmap port 22

After that, we’ll create a simple bash script to perform port knocking.

1#!/bin/bash
2HOST=$1
3shift
4for ARG in "$@"
5do
6    nmap -PN --host_timeout 201 --max-retries 0 -p $ARG $HOST
7done

Save it as knock.sh and then run chmod +x so that the script can be executed.

Usage:

1# ./knock.sh [ip server] [list port]
2# Example:
3./knock.sh 192.168.0.100 1111 2222 3333 4444

By knocking on ports 1111, 2222, 3333, and 4444 in sequence, the port 22 we specified in the firewall rules will become accessible. This way, you can establish an SSH connection to the server.

nmap port knocking

That’s it for this port knocking tutorial.

Feel free to develop it further on your own with creativity, using a combination of protocols such as TCP, UDP, or even ICMP.

Reference: