Chapter 2. Server side

In this chapter we look at the example setup on the server side. The number of ports in the knock sequence has been chosen as three, but it is quite simple to extend it to N.

Notation

p0, p1, p2

Ports in the opening sequence.

l0, l1, l2

The selected magic lenghts for the knocking packets.

pc

The closing port.

2.1. Example setup

In the example setup, we have a list of "trusted" hosts allowed to connect without knocking. All other hosts must complete the knocking procedure before being allowed SSH access.

The setup consists of the following user-defined iptables chains:

ssh-in

All incoming SSH connection attempts will be directed here.

ssh-in-hut

This is an auxliary chain to trust a network block but except some parts of it back into the knocking scheme.

knock

The knocking packets will be directed here for processing.

knock{2,3}

Auxliary chains to make it possible that a single packet both is checked against a recent flag, and sets a different flag.

The details in what kind of rules are necessary to direct packets to the ssh-in and knock chains depend on your particular network setup. Generally one would expect there to be rules like -m state --state NEW -p tcp --dport 22 -j ssh-in in the INPUT chain, as well as in forwarding chains for packets destined for any SSH servers. Usually there would also be a rule resembling -p udp -m multiport --dports p0,p1,p2,pc -j knock in the INPUT chain.

The ssh-in chain in the example setup contains the trusted hosts as well as an entry to allow properly knocked connections, and some logging rules. It has the following rules:

1   -i eth1 -s 192.168.2.0/24 -j ACCEPT
2   -s 130.233.0.0/16 -j ssh-in-hut
3   -m recent --rcheck --name SSH3 --seconds 30 -j ACCEPT
4   -j ULOG --ulog-prefix 'fail/ssh-in'
5   -j REJECT --reject-with icmp-port-unreachable
The rule on line 1 allows SSH connections from the NAT'd local network. Line 2 directs packets from the mentioned larger network block to the auxliary ssh-in-hut chain for closer inspection. (The network range in this example belongs to Helsinki University of Technology.) Rule 3 allows connections from sources that have completed the knocking procedure during the last 30 seconds. Rules 4 and 5 log and reject all other connection attempts.

The auxliary ssh-in-hut chain contains the following rules:

1   -s 130.233.16.0/20 -j RETURN
2   -s 130.233.238.0/24 -j RETURN
3   -j ACCEPT
The rules on lines 1 and 2 cause the processing of packets from the two smaller blocks (the less secure student housing and WLAN networks, respectively) to return to the original ssh-in chain, so the knocking procedure works from those networks, too. Line 3 allows other SSH connections from the larger network block.

The knocking chain contains all rules related to the opening of the SSH ports. It contains the rules:

1   -p udp --dport pc -m recent --remove --name SSH1 -j ULOG --ulog-prefix 'knock/close1'
2   -p udp --dport pc -m recent --remove --name SSH2 -j ULOG --ulog-prefix 'knock/close2'
3   -p udp --dport pc -m recent --remove --name SSH3 -j ULOG --ulog-prefix 'knock/close3'
4   -p udp --dport pc -j DROP
5   -p udp --dport p0 -m length --length l0 -m recent --set --name SSH1 -j ULOG --ulog-prefix 'knock/open1'
6   -p udp --dport p0 -j DROP
7   -p udp --dport p1 -m length --length l1 -m recent --rcheck --name SSH1 --seconds 5 -j knock2
8   -p udp --dport p2 -m length --length l2 -m recent --rcheck --name SSH2 --seconds 5 -j knock3
9   -j ULOG --ulog-prefix 'knock/unknown'
10  -j DROP
The rules on lines 1-4 remove any recent flags set for the source when a closing packet comes in. The act is also logged, and the packet silently dropped. Rules on line 5 and 6 match for the first packet in the knocking sequence. They cause the flag SSH1 to be set for that source. This is also logged and silently dropped. Rules on lines 7 and 8 match for the second and third packet in the knocking sequence, but only if the previous flag has been set for that source during the last 5 seconds. They direct the packet to knock2 or knock3 for further processing. Lines 9 and 10 log and drop malformed knock-like packets.

The chains knock2 and knock3 are almost identical. For knock2:

1   -m recent --set --name SSH2 -j ULOG --ulog-prefix 'knock/open2'
2   -j DROP
And knock3:
1   -m recent --set --name SSH3 -j ULOG --ulog-prefix 'knock/open3'
2   -j DROP
On line 1 the packet sets the proper flag so the knocking sequence can continue. These packets are also then silently ignored.