LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-09-2006, 10:03 PM   #1
ryanoa
Member
 
Registered: Jan 2006
Location: Santa Cruz, CA
Distribution: Slack 10.2 and 11.0
Posts: 102

Rep: Reputation: 15
Knockd


Hi,

I'm getting a lot of ssh break-in attempts on my Slackware box. Right now I have port 22 closed on my router to prevent a possible break-in but I would like to keep it open for remote access. I've heard a lot of good things about knockd but I have a few questions before I go and set it up.

The slackware box I want to install it on is behind a d-link router/firewall. Will I need to open up the ports in the knock sequence on the router? If so, is this a security risk? Could someone potentially scan the routers open ports and come up with my knock sequence?

Thanks,
Ryan
 
Old 10-10-2006, 07:22 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,541
Blog Entries: 54

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
Not to dismiss Knockd as ineffective or useless but I think you better start by tighten your sshd_config (no root, passphrases instead of passwords, only Protocol 2, only allowed users) then pick a tool from here: http://www.linuxquestions.org/questi...d.php?t=340366. *Then* with all in place "play" with knockd.
 
Old 10-10-2006, 01:50 PM   #3
ledow
Member
 
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241

Rep: Reputation: 34
Quote:
Originally Posted by ryanoa
Will I need to open up the ports in the knock sequence on the router?
Possibly. I personally have EVERY packet forwarded from my router to a "real" firewall and have knockd run on that. Knocks are basically "port probes" and if you router blocks them it won't work. Many routers do, because they don't form a complete connection.

Quote:
Originally Posted by ryanoa
If so, is this a security risk? Could someone potentially scan the routers open ports and come up with my knock sequence?
No. If you are forwarding those ports to the knockd server, the ports do NOT have to show as open on the knockd server. Knockd works BEHIND a firewall, just listenening out for packets. It does NOT need an open connection, or even an open port. It can work with closed/stealth ports. For those in the know, knockd uses packet capture libraries rather than "real" TCP/UDP connections.

But I have to echo the thoughts of the previous poster. Knockd is a defense that has certain advantages (prevents log spam, prevent "random" attacks, etc.) but it will not secure your computer for you. Do that FIRST.

Knockd is a "convenience" that *improves* security of existing good setups. It does not *create* security for your computers.
 
Old 10-10-2006, 07:03 PM   #4
ryanoa
Member
 
Registered: Jan 2006
Location: Santa Cruz, CA
Distribution: Slack 10.2 and 11.0
Posts: 102

Original Poster
Rep: Reputation: 15
Thank you for the responses,

I went and tightened up my sshd config (AllowedUsers, DeniedUsers, no root, etc.) I'm already using ssh2. I'll look into using pass phrases instead of passwords. Hopefully, all of this will be enough. I guess I can live with some log spam, as long as they can't get in

Thanks again,
Ryan
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
knockd gong Linux - Security 1 07-03-2005 07:49 AM


All times are GMT -5. The time now is 11:56 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration