The next morning I remoted into my web server and checked the logs. A remote scanner found my port 22 responding, and there were hundreds of failed login attempts. This is a good point to stress the importance of VERY STRONG PASSWORDS!
The sshdfilter was not running as I suspected. It was one of those things that was on my to-do list, but oddly enough other projects kept jumping ahead of it.
This experience had me thinking up various ways of truly protecting my Linux system from unauthorized users. That's when I remembered an article I read a while back in a Linux magazine. The topic was how to secure a system with port knocking. The idea of port knocking was to have predefined ports turned off as an initial state. The client wishing to access a certain closed port would first send a single TCP or UDP packet to various other ports in a specific sequence. Correct "knocks" would open the needed port for access. When through, the client would send another set of "knocks" to close the port down. Port knocking essentially hides ports from scanners, since the ports are actually closed, yet are assessable to clients when needed.
After a quick Google search I found knockd. Its command page looked easy enough to figure out, so I decided to give it a try.
We will begin this project by resuming our work from the Linux System we have used in Parts 1 and 2 of 'Become a Linux Server Wizard':
- Type urpmi sshd knock to install openssh and the knockd port knocking package
- Type cp /etc/knockd.conf /etc/knockd.conf_original to save a copy of the original knockd config file in case we want to use it at a later date
- Type vi /etc/knockd.conf to edit the config file in vi
- Under the [options] heading you should type interface =
. I typed interface = eth1 because that is the network interface that my virtual Linux system uses. I believe that If my system had used eth0 the knockd dameon would have worked without the need for the interface line - Under [openSSH] you need to change the three sets of numbers on the sequence line. Leaving the number sets as they are would leave your system vulnerable to attack. I set my seq_timeout = line to 10. On the command = line you need to delete the iptables entry and then type /usr/sbin/sshd to bypass the whole iptables modifications. This command will start the sshd daemon for you to ssh into your system remotely
- Under [closeSSH] you need to change the three sets of numbers on the sequence line. Again you do not want to leave your system vulnerable to attack. I set this seq_timeout = line to 10 also. On the command = line you need to delete the iptables entry and then type /usr/bin/killall -9 sshd to once again bypass the iptables modifications. This will kill the sshd daemon to close the ssh port down
- Press the [Esc] key followed by the [ Shift + : + wq ] and press Enter to save your changes and exit the vi editor
- Type service sshd stop to ensure that sshd isn't running
- Type chkconfig sshd off to keep sshd from running at boot
- Type chkconfig --add knockd to run the knockd daemon as a service on boot
- Type chkconfig --level 2345 knockd on to change the runlevel of the knockd daemon
You are now done with setting up and configuring port knocking on your Linux system. The next step in the project is to install and use a client to "knock" on your predefined ports and then ssh into your system remotely.
- Download your proper OS port knocking client from: http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki
- In this instance I used a Windows Vista machine to test my port knocking, so I downloaded the Win32 client software.
- I clicked on the START button, typed CMD in the search line and hit Enter
- I used the CD command to traverse the folder structure to where the knock.exe file was located
- I typed knock.exe
3000 7100 7500 - I disconnected Putty and in the DOS window I typed knock.exe
7700 3500 7150 - I performed the last two steps again to verify that port knocking was working properly
Deion "Mule" Christopher
Posts
No comments:
Post a Comment