ConfigServer Community Forum

One of my favorite methods of getting into a firewall once something has gone wrong -- and the easiest method I've found for locking *everything* down yet allowing an administrator access from a dynamic location ... is "port knocking".

I run "knockd", a daemon that watches for a unique sequence of port requests. Any other port request in any sequence other than what I require, will fail. However, when the ports are knocked in the sequence I preset, the server is opened to me for a period of time I specify.

This works by the knockd server changing the iptables rules on-the-fly, to allow access to the successful port-knocker.

This has been an extremely easy and effective method I've used for years, on many servers, with tremendous reliability and never a single issue.

I'm now testing csf -- and because csf already runs its own persistent daemon and because it should be the only thing touching the iptables -- it makes sense that csf could include a knockd server, with a simple configuration option to enable it. For example (proposed configuration option for csf):

PORT_KNOCK_ENABLE="1"
PORT_KNOCK_OPEN_TIME="60"
PORT_KNOCK1="10000:TCP"
PORT_KNOCK2="20000:UDP"
PORT_KNOCK3="15000:UDP"
PORT_KNOCK4="25000:TCP"

This would essentially setup the knock daemon to listen for a TCP request on port 10000, then UDP on 20000 and 15000, then TCP on 25000.

If, and only if, that specific sequence occurs (without any other port requests in between), then the origin IP is opened for 60 seconds, in this case.

Is this something you'd consider for csf?

It's something we've had on the development list for a very long time we just haven't seen the demand for such an esoteric (though very interesting) option to devote the development time to it yet.

As someone who runs it, I can tell you it's a true godsend -- not simply for the obvious purposes.

First, it obviously allows administration from a dynamic location.

Even if the administrator doesn't require dynamic access, it provides a great way to get back into a system if you've been locked out. I should reiterate you get locked out of a system due to a firewall issue, and no matter what, this will allow you to get back in.

Finally, it allows one to run a *much* tighter security config / closed-port system.

Best of all, it's not a particularly complicated daemon or premise for development (or for the end-users, for that matter).

Just hope some of those notes make it into the feature request ;-).

well, port knocking is not a "esoteric option" - is a real solution used by a many servers administrators.

the logical is so simple, and work fine.

- SSH port closed for all IP sources, and opened to your IP for a few minutes only if you acess 3 or 4 ports in a specific sequence (do not use ports in sequence to avoid scanners discover the port knocking)

the same can be applied to any other port, like FTP for example.

this can be a nice feature to CSF, and help a lot of users to keep the server more secure.

for linux exist the KNOCKD a service for port knocking, but I cant use KNOCKD with CSF, because CSF will remove KNOCKD rules from iptables and vice-versa.

and KNOCKD project offer a SSH client with port knocking, so you can configure the ssh client to acess your server with specific sequence and open the SSH port.

here a good article about port knocking and a example of implementation using only iptables, I believe is not too hard to implement the same stuff on CSF:

andrewkmitchell . com / blog/?p=236

+1 vote to port knocking on CSF !!

+1 for me, I agree with everything RKM says. It really would allow us to set stricter rules, particularly for services like ssh.

My only suggestion would be to have a single field for the sequence i.e.
PORT_KNOCK_SEQ = "10000:TCP;20000:UDP;15000:UDP;25000:TCP"

which would allow you to build any length sequence you like.

I've used a similar idea, but to see it incorporated into CSF/LFD would be seriously useful

+1 from me

great news ! today I updated my CSF and see the port-knocking feature !

this is why CSF is the best firewall, developers listen the users.