For those who need to provide themselves, their loved ones, access to their servers from anywhere in the world via SSH / RDP / otherwise - a small RTFM / spur.
We need to do without VPN and other bells and whistles, from any device at hand.
And so that the server does not exercise too much.
All that is needed for this -
“Everything is on the Internet”, of course (even on
We will practice on the example of Fedora / CentOS, but it does not matter.
The spur is suitable for both beginners and bison of this business, so there will be comments, but shorter.
1. Server
-
install knock-server:
yum/dnf install knock-server
-
configure it (for example, on ssh) - /etc/knockd.conf:
[options] UseSyslog interface = enp1s0f0 [SSHopen] sequence = 33333,22222,11111 seq_timeout = 5 tcpflags = syn start_command = iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT cmd_timeout = 3600 stop_command = iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT [SSHclose] sequence = 11111,22222,33333 seq_timeout = 5 tcpflags = syn command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
The "opening" part is set to auto-close after 1 hour. Is it a little...
-
/etc/sysconfig/iptables:
... -A INPUT -p tcp -m state --state NEW -m tcp --dport 11111 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22222 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 33333 -j ACCEPT ...
-
forward:
service iptables restart service knockd start
-
you can add RDP to the virtual Windows Server spinning inside (/etc/knockd.conf; substitute the name of the interface to taste):
[RDPopen] sequence = 44444,33333,22222 seq_timeout = 5 tcpflags = syn start_command = iptables -t nat -A PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2 cmd_timeout = 3600 stop_command = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2 [RDPclose] sequence = 22222,33333,44444 seq_timeout = 5 tcpflags = syn command = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2
All our kicks from the client are tracked on the server by the team
iptables -S
.
2. Guide to the rake
knockd.conf:
Mana also has everything (but this is inaccurate), but knockd is a rather stingy comrade on messages, so you need to be very careful.
- version
In the Fedora/CentOS repositories, the latest knockd for today is 0.63. Who wants UDP - look for packets 0.70. - interface
In the default configuration of Fedora/CentOS this line no. Add manually, otherwise it will not work. - timeout
Here you can choose according to your taste. It is necessary that the client has enough time for all the kicks - and the port scanner bot broke off (and 146% will scan). - start/stop/command.
If there is one command, then command, if there are two, then start_command+stop_command.
If you make a mistake, knockd will remain silent, but will not work. - proto
Theoretically, you can use UDP. In practice, I mixed tcp and udp, and a client from the beach in Bali was able to open his gate only the fifth time. For TCP flew when necessary, and UDP is not a fact. But this is a matter of taste, again. - sequence
The implicit rake is that the sequences should not intersect ... how to say this ...
For example, this:
open: 11111,22222,33333
close: 22222,11111,33333
By kick 11111 open will wait for the next kick at 22222. However, this (22222) kick will start working Close and everything will break. It depends on the client's delay as well. Such things ©.
iptables
If /etc/sysconfig/iptables is this:
*nat
:PREROUTING ACCEPT [0:0]
Doesn't really bother us, so here it is:
*filter
:INPUT ACCEPT [0:0]
...
-A INPUT -j REJECT --reject-with icmp-host-prohibited
It does interfere.
Since knockd adds the rules to the end of the INPUT chain, we will get a reject.
And to turn off this reject is to open the car to all winds.
In order not to go crazy in iptables what to insert before what (like this
- default on CentOS/Fedora first the rule (“what is not forbidden is allowed”) is replaced by the opposite,
- and remove the last rule.
The result should be:
*filter
:INPUT DROP [0:0]
...
#-A INPUT -j REJECT --reject-with icmp-host-prohibited
You can, of course, do REJECT instead of DROP, but bots will have more fun with DROP.
3. Client
This place is the most interesting (from my point of view), since you need to work not only from any beach, but also from any device.
In principle, a number of clients are listed on
When choosing a client, you need to make sure that it supports the delay option between packets. Yes, the beach is different to the beach and 100 megabits never guarantee that packets will arrive in the right order at the right time from a given place.
And yes - when setting up the client, delay must be selected independently. A lot of timeout - bots will attack, a little - the client will not have time. A lot of delay - the client will not have time or there will be a conflict of knocks (see "rake"), a little - the packets will get lost on the Internet.
With timeout=5s, it is quite a working option delay=100..500ms
Windows
No matter how ridiculous it sounds, it is rather non-trivial to google a distinct knock-client for this platform. Such that CLI supports delay, TCP - and without bows.
As an option you can try
Linux
Everything is simple here:
dnf install knock -y
knock -d <delay> <dst_ip> 11111 22222 33333
MacOS
The easiest way is to install the port from homebrew:
brew install knock
and draw yourself the necessary batch files of command files of the form:
#!bin/sh
knock -d <delay> <dst_ip> 11111 22222 33333
iOS
The working version is KnockOnD (free, from the store).
Android
Knock on Ports. It's not an ad, it just works. And the developers are quite responsive.
PS markdown on Habré, of course, God bless him someday...
UPD1: thanks to
UPD2: Another one
Source: habr.com