Port Knocking

Port Knocking configures iptables to offer port knocking to open sensitive ports based on a sequence of knocked ports for the connecting IP address. For more information on port knocking see http://www.portknocking.org/

• This feature does not work on servers that do not have the iptables module ipt_recent loaded.
• VPS server admins should check with their VPS host provider that the iptables module is included.

The feature requires that you list a random selection of unused ports (at least 3) with a timeout. The ports you choose must not be in use and not appear in TCP_IN or UDP_IN (for udp packets). The port to be opened must also not appear in TCP_IN or UDP_IN (for udp packets).

Format

openport;protocol;timeout;kport1;kport2;kport3[...;kportN]

Example

PORTKNOCKING = "22;TCP;20;100;200;300;400"
  1. Open Port 22 TCP for 20 seconds to the connecting IP address to new connections once ports 100, 200, 300 and 400 have been accessed (i.e. knocked with a SYN packet) each knock being less than 20 seconds apart.
  2. Access to port 22 remains active after 20 seconds until the connection is dropped, however new connections will not be allowed.

• IP addresses do not appear in any of the iptables chains when using this module. You must view the /proc/net/ipt_recent/* files as per the module documentation to view IP addresses in the various stages of the knock.
• Restarting CSF resets the ipt_recent tables and removes all of the knocks.
• By default ipt_recent tracks only the last 100 IP addresses. The tracked IP addresses can be viewed in /proc/net/ipt_recent/*

More information about the ipt_recent module can be found in the iptables man page and at http://snowman.net/projects/ipt_recent/

Related Files

File Description
/etc/csf/csf.conf PORTKNOCKING configuration option
/usr/local/csf/tpl/portknocking.txt Port Knocking alert template

Related Pages