LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Knockd (https://www.linuxquestions.org/questions/linux-security-4/knockd-490984/)

ryanoa 10-09-2006 09:03 PM
Knockd
 
Hi,

I'm getting a lot of ssh break-in attempts on my Slackware box. Right now I have port 22 closed on my router to prevent a possible break-in but I would like to keep it open for remote access. I've heard a lot of good things about knockd but I have a few questions before I go and set it up.

The slackware box I want to install it on is behind a d-link router/firewall. Will I need to open up the ports in the knock sequence on the router? If so, is this a security risk? Could someone potentially scan the routers open ports and come up with my knock sequence?

Thanks,
Ryan

unSpawn 10-10-2006 06:22 AM
Not to dismiss Knockd as ineffective or useless but I think you better start by tighten your sshd_config (no root, passphrases instead of passwords, only Protocol 2, only allowed users) then pick a tool from here: http://www.linuxquestions.org/questi...d.php?t=340366. *Then* with all in place "play" with knockd.

ledow 10-10-2006 12:50 PM
Quote:
Originally Posted by ryanoa
Will I need to open up the ports in the knock sequence on the router?
Possibly. I personally have EVERY packet forwarded from my router to a "real" firewall and have knockd run on that. Knocks are basically "port probes" and if you router blocks them it won't work. Many routers do, because they don't form a complete connection.

Quote:
Originally Posted by ryanoa
If so, is this a security risk? Could someone potentially scan the routers open ports and come up with my knock sequence?
No. If you are forwarding those ports to the knockd server, the ports do NOT have to show as open on the knockd server. Knockd works BEHIND a firewall, just listenening out for packets. It does NOT need an open connection, or even an open port. It can work with closed/stealth ports. For those in the know, knockd uses packet capture libraries rather than "real" TCP/UDP connections.

But I have to echo the thoughts of the previous poster. Knockd is a defense that has certain advantages (prevents log spam, prevent "random" attacks, etc.) but it will not secure your computer for you. Do that FIRST.

Knockd is a "convenience" that *improves* security of existing good setups. It does not *create* security for your computers.

ryanoa 10-10-2006 06:03 PM
Thank you for the responses,

I went and tightened up my sshd config (AllowedUsers, DeniedUsers, no root, etc.) I'm already using ssh2. I'll look into using pass phrases instead of passwords. Hopefully, all of this will be enough. I guess I can live with some log spam, as long as they can't get in :)

Thanks again,
Ryan


All times are GMT -5. The time now is 03:46 AM.