56 Raspberry Pi – Portknocking with knockd Security through Obscurity is not Security. That being said, obscuring your SSH port via port knocking can be a great way to protect your SSH service from drive-bys and script kiddies. It is no replacement for a proper service configuration, but when paired with a good config can greatly improve your security. Also, it’s just kind of cool; who doesn’t wish they had a secret passage in their home?
Port knocking, at its core, is pretty simple. The daemon listens for connection attempts, and if attempts are made to the correct ports, in the correct order, in the specified amount of time, then it executes a command. Typically the command is to either add or delete a firewall rule. I followed this guide to get it up and running, but it is deprecated, and therefore there were some issues. All of the solutions are contained herein. First, we need to set up our firewall rules per this guide, ensuring that we don’t lock ourselves out of SSH access until we are certain that everything works.
LogFile = /var/log/knockd.log
interface = wlan0
sequence = 7303,40303,33528
tcpflags = syn
seq_timeout = 15
start_command = /sbin/iptables -I INPUT 4 -s %IP% -p tcp --dport 22 -j ACCEPT
cmd_timeout = 10
stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
and change the following line
IMPORTANT! This is where we run into some issues. The Debian version of knockd will not start at boot, no matter what you do. In theory, the above modification to /etc/default/knockd should make this happen, but it doesn’t. After countless Google searches, I found a patch in a Debian bug post. The patch follows:
Append the following:
Finally, run the following and knockd will start at boot
Start knockd and test it out. If you have any issues, you can run the following to try to debug your problems
In order to carry out the port knocking, I chose to write a Python script, since I knew that that would work on both my Linux and Windows machines since they all have Python installed. As long as Scapy is installed then it’s good to go. See the script here.