Port knocking is a way to secure a server by closing firewall ports—even those you know will be used. Those ports are opened on demand if—and only if—the connection request provides the secret knock.
端口敲門是一種通過關閉防火墻端口(甚至您將使用的防火墻端口)來保護服務器安全的方法。 當且僅在連接請求提供了秘密敲門后,這些端口才按需打開。
港口敲門是“秘密敲門” (Port Knocking Is a “Secret Knock”)
In the 1920s, when prohibition was in full swing, if you wanted to get into a speakeasy, you had to know the secret knock and tap it out correctly to get inside.
在1920年代,當禁令如火如荼地進行時,如果您想進入說話狀態,就必須知道秘密的敲門聲,并正確地敲打它才能進入內部。
Port knocking is a modern equivalent. If you want people to have access to services on your computer but don’t want to open your firewall to the internet, you can use port knocking. It allows you to close the ports on your firewall that allow incoming connections and have them open automatically when a prearranged pattern of connection attempts is made. The sequence of connection attempts acts as the secret knock. Another secret knock closes the port.
港口敲門是現代的等同物。 如果您希望人們可以訪問您計算機上的服務,但又不想將防火墻打開到Internet,則可以使用端口斷開功能。 它允許您關閉防火墻上允許傳入連接的端口,并在進行預先安排的連接嘗試方式時自動打開它們。 連接嘗試的順序充當秘密敲門。 另一個秘密的敲門聲關閉了港口。
Port knocking is something of a novelty, but it’s important to know it’s an example of security through obscurity,?and that concept is fundamentally flawed. The secret of how to access a system is safe because only those in a specific group know it. But once that secret is out—either because it’s revealed, observed, guessed, or worked out—your security is void. You’re better off securing your server in other, stronger ways, like requiring key-based logins for an SSH server.
敲端口是一種新穎的事物,但重要的是要知道它是通過默默無聞來實現安全的一個例子,并且該概念從根本上來說是有缺陷的。 安全訪問系統的秘密是安全的,因為只有特定組中的人才能知道它。 但是,一旦發現了這個秘密(無論是因為它被發現,觀察,猜測還是解決了),您的安全性就會失效。 最好以其他更強大的方式保護服務器的安全,例如要求SSH服務器基于密鑰的登錄。
The most robust approaches to cybersecurity are multilayered, so, perhaps port knocking should be one of those layers. The more layers, the better, right? However, you could argue that port knocking doesn’t add much (if anything) to a properly hardened, secure system.
網絡安全最強大的方法是多層的,因此,也許端口敲門應該是其中之一。 層數越多越好,對嗎? 但是,您可能會爭辯說,端口爆裂并不會給經過適當加固的安全系統帶來太多(如果有的話)。
Cybersecurity is a vast and complicated topic, but you shouldn’t use port knocking as your only form of defense.
網絡安全是一個廣泛而復雜的主題,但您不應將端口爆震作為唯一的防御方式。
安裝敲 (Installing knockd)
To demonstrate port knocking, we’re going to use it to control port 22, which is the SSH port. We’ll use?a tool called knockd. Use apt-get to install this package onto your system if you use Ubuntu or another Debian-based distribution. On other Linux distributions, use your Linux distribution’s package management tool, instead.
為了演示端口敲除,我們將使用它來控制端口22,即SSH端口。 我們將使用一個稱為tickd的工具。 如果使用Ubuntu或其他基于Debian的發行版,請使用apt-get將此軟件包安裝到系統上。 在其他Linux發行版上,請改用Linux發行版的程序包管理工具。
Type the following:
輸入以下內容:
sudo apt-get install knockd
You probably already have the?iptables?firewall?installed on your system, but you might need to install the iptables-persistent package. It handles the automatic loading of saved iptable rules.
您可能已經在系統上安裝了iptables防火墻,但是可能需要安裝iptables-persistent軟件包。 它處理已保存的iptable規則的自動加載。
Type the following to install it:
輸入以下內容進行安裝:
sudo apt-get install iptables-persistent
When the IPV4 configuration screen appears, press the space bar to accept the “Yes” option.
出現IPV4配置屏幕時,按空格鍵以接受“是”選項。
Press the space bar again in IPv6 configuration screen to accept the “Yes” option and move on.
在IPv6配置屏幕中再次按空格鍵以接受“是”選項并繼續。
The following command tells iptables to allow established and ongoing connections to continue. We’ll now issue another command to close the SSH port.
以下命令告訴iptables允許建立的連接和正在進行的連接繼續。 現在,我們將發出另一個命令來關閉SSH端口。
If someone is connected by SSH when we issue this command, we don’t want them to be cut off:
如果在發出此命令時有人通過SSH連接,我們不希望他們被切斷:
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
This command adds a rule to the firewall, that says:
此命令向防火墻添加一條規則,該規則為:
-A: Append the rule to the firewall rules table. That is, add it to the bottom.
-A :將規則追加到防火墻規則表。 也就是說,將其添加到底部。
INPUT: This is a rule about incoming connections.
輸入:這是有關傳入連接的規則。
-m conntrack: Firewall rules act upon network traffic (packets) that match criteria in the rule. The
-mparameter causes?iptablesto use extra packet matching modules—in this case, the one calledconntrack?works with the network connection tracking capabilities of the kernel.-m conntrack :防火墻規則對符合規則中條件的網絡流量(數據包)起作用。
-m參數使iptables使用額外的數據包匹配模塊-在這種情況下,稱為conntrack模塊與內核的網絡連接跟蹤功能一起使用。–cstate ESTABLISHED,RELATED: This specifies the type of connection to which the rule will apply, namely ESTABLISHED and RELATED connections. An established connection is one that’s already in progress. A related connection is one that’s made due to an action from an established connection. Perhaps someone who is connected wants to download a file; that might happen over a new connection initiated by the host.
-cstate ESTABLISHED,RELATED :這指定規則將應用到的連接類型,即ESTABLISHED和RELATED連接。 建立的連接已經在進行中。 相關的連接是由于已建立的連接所進行的操作而建立的。 也許某個連接的人想要下載文件; 這可能是由主機啟動的新連接引起的。
-j ACCEPT: If the traffic matches the rule, jump to the ACCEPT target in the firewall. In other words, the traffic?is accepted and allowed to pass through the firewall.
-j ACCEPT :如果流量符合規則,請跳到防火墻中的ACCEPT目標。 換句話說,流量被接受并被允許通過防火墻。
Now we can issue the command to close the port:
現在我們可以發出關閉端口的命令:
sudo iptables -A INPUT -p tcp --dport 22 -j REJECT
This command adds a rule to the firewall, that says:
此命令向防火墻添加一條規則,該規則為:
-A: Append the rule to the firewall rules table, i.e., add it to the bottom.
-A :將規則添加到防火墻規則表,即將其添加到底部。
INPUT: This rule is about incoming connections.
輸入:此規則與傳入連接有關。
-p tcp: This rule applies to traffic that uses the Transmission Control Protocol.
-p tcp :此規則適用于使用傳輸控制協議的流量。
–dport 22: This rule specifically applies to TCP traffic that targets port 22 (the SSH port).
–dport 22 :此規則專門適用于以端口22(SSH端口)為目標的TCP通信。
-j REJECT: If the traffic matches the rule, jump to the REJECT target in the firewall. So, if the traffic?is rejected, it’s not permitted through the firewall.
-j REJECT :如果流量符合規則,請跳到防火墻中的REJECT目標。 因此,如果流量被拒絕,則不允許通過防火墻。
We must start the netfilter-persistent daemon. We can do so with this command:
我們必須啟動netfilter-persistent守護程序。 我們可以使用以下命令:
sudo systemctl start netfilter-persistent
We want?netfilter-persistent?to go through a save and reload cycle, so it loads and controls the iptable rules.
我們希望netfilter-persistent經歷一個保存和重新加載周期,以便它加載和控制iptable規則。
Type the following commands:
鍵入以下命令:
sudo netfilter-persistent save
sudo netfilter-persistent reload
You’ve now installed the utilities, and the SSH port is closed (hopefully, without terminating anyone’s connection). Now, it’s time to configure the secret knock.
現在,您已經安裝了實用程序,并且SSH端口已關閉(希望它沒有終止任何人的連接)。 現在,是時候配置秘密敲門了。
配置敲 (Configuring knockd)
There are two files you edit to configure knockd. The first is the following?knockd configuration file:
您可以編輯兩個文件來配置knockd 。 首先是以下knockd配置文件:
sudo gedit /etc/knockd.conf
The gedit editor opens with the knockd configuration file loaded.
將打開gedit編輯器,并加載已knockd配置文件。
We’ll edit this file to suit our needs. The sections we’re interested in are “openSSH” and “closeSSH.” The following four entries are in each section:
我們將編輯此文件以適合我們的需求。 我們感興趣的部分是“ openSSH”和“ closeSSH”。 每個部分中包含以下四個條目:
sequence: The sequence of ports someone must access to open or close port 22.?The default ports are 7000, 8000, and 9000 to open it, and 9000, 8000, and 7000 to close it. You can change these or add more ports to the list. For our purposes, we’ll stick with the defaults.
sequence :某人必須訪問以打開或關閉端口22的端口順序。默認端口是7000、8000和9000才能打開,而9000、8000和7000才能關閉。 您可以更改這些端口或將更多端口添加到列表。 為了我們的目的,我們將堅持使用默認值。
seq_timeout: The time period within which someone has to access the ports to trigger it to open or close.
seq_timeout :某人必須訪問端口以觸發其打開或關閉的時間段。
command: The command sent to the
iptablesfirewall when the open or close action is triggered. These commands either add a rule to the firewall (to open the port) or take it out (to close the port).command :觸發??打開或關閉操作時發送到
iptables防火墻的命令。 這些命令將規則添加到防火墻(以打開端口)或將其刪除(以關閉端口)。tcpflags: The type of packet?each port must receive in the secret sequence. A SYN (synchronize) packet is the first in a TCP connection request, called a three-way handshake.
tcpflags :每個端口必須按秘密順序接收的數據包類型。 SYN(同步)數據包是TCP連接請求中的第一個數據包,稱為三向握手。
The “openSSH” section can be read as “a TCP connection request must be made to ports 7000, 8000, and 9000—in that order and within 5 seconds—for the command to open port 22 to be sent to the firewall.”
“ openSSH”部分可以理解為“必須向端口7000、8000和9000發出TCP連接請求(此順序必須在5秒鐘之內),才能將打開端口22的命令發送到防火墻。”
The “closeSSH” section can be read as “a TCP connection request must be made to ports 9000, 8000, and 7000—in that order and within 5 seconds—for the command to close port 22 to be sent to the firewall.”
“ closeSSH”部分可以理解為“必須向端口9000、8000和7000發出TCP連接請求(以該順序并在5秒鐘之內),以便關閉端口22的命令才能發送到防火墻。”
防火墻規則 (The Firewall Rules)
The “command” entries in the openSSH and closeSSH sections remain the same, except for one parameter.?This is how they’re comprised:
除了一個參數外,openSSH和closeSSH部分中的“命令”條目保持不變。 這是它們的組成方式:
-A: Append the rule to the bottom of the firewall rules list (for the openSSH command).
-A :將規則追加到防火墻規則列表的底部(對于openSSH命令)。
-D: Delete the command from the firewall rules list (for the closeSSH command).
-D :從防火墻規則列表中刪除命令(對于closeSSH命令)。
INPUT: This rule is concerned with incoming network traffic.
輸入:此規則與傳入的網絡流量有關。
-s %IP%: The IP address of the device requesting a connection.
-s%IP% :請求連接的設備的IP地址。
-p: Network protocol; in this case, it’s TCP.
-p :網絡協議; 在這種情況下,它是TCP。
–dport: The destination port; in our example, it’s port 22.
–dport :目標端口; 在我們的示例中,端口為22。
-j ACCEPT: Jump to the accept target within the firewall. In other words, let the packet drop through the rest of the rules without acting on it.
-j ACCEPT :跳轉到防火墻內的接受目標。 換句話說,讓數據包通過其余規則丟棄而不對其執行操作。
敲開的配置文件 (The knockd Configuration File Edits)
The edits we’ll make to the file are highlighted in red below:
我們將對該文件進行的編輯在下面以紅色突出顯示:
We extend the “seq_timeout”?to 15 seconds. This is generous, but if someone’s manually firing in connection requests, he might need this much time.
我們將“ seq_timeout”延長到15秒。 這很慷慨,但是如果有人手動觸發連接請求,那么他可能需要很多時間。
In the “openSSH” section, we change the -A (append) option in the command to -I (insert). This command inserts a new firewall rule at the top of the firewall rule list. If you leave the -A option, it?appends?the firewall rule list and puts it at the bottom.
在“ openSSH”部分中,我們將命令中的-A (附加)選項更改為-I (插入)。 此命令在防火墻規則列表的頂部插入新的防火墻規則。 如果保留-A選項,它將附加防火墻規則列表并將其放在底部。
Incoming traffic is tested against each firewall rule in the list from the top down. We already have a rule that closes port 22. So, if incoming traffic is tested against that rule before it sees the rule that allows the traffic, the connection is refused; if it sees this new rule first, the connection is allowed.
根據從上到下的列表中的每個防火墻規則測試傳入流量。 我們已經有一個關閉端口22的規則。因此,如果在看到允許流量的規則之前對照該規則對傳入流量進行了測試,則連接將被拒絕;否則,該連接將被拒絕。 如果它首先看到此新規則,則允許連接。
The close command removes the rule added by openSSH from the firewall rules. SSH traffic is once more handled by the pre-existing “port 22 is closed” rule.
close命令從防火墻規則中刪除由openSSH添加的規則。 SSH流量再次由預先存在的“端口22已關閉”規則處理。
After you make these edits, save the configuration file.
完成這些編輯后,保存配置文件。
敲掉的控制文件 (The knockd Control File Edits)
The knockd control file is altogether simpler. Before we dive in and edit that, though, we need to know the internal name for our network connection; to find it, type this command:
knockd控制文件完全簡單。 但是,在深入進行編輯之前,我們需要知道網絡連接的內部名稱。 要找到它,請鍵入以下命令:
ip addr
The connection this machine uses to research this article is called enp0s3. Make a note of the name of your connection.
該機器用于研究本文的連接稱為enp0s3 。 記下您的連接的名稱。
The following command edits the knockd control file:
以下命令編輯已knockd控制文件:
sudo gedit /etc/default/knockd
Here’s the knockd file in gedit.
這是gedit的已knockd文件。
The few edits we need to make are highlighted in red:
我們需要進行的一些編輯以紅色突出顯示:
We changed the “START_KNOCKD=” entry to from 0 to 1.
我們將“ START_KNOCKD =”條目從0更改為1。
We also removed the hash # from the start of the “KNOCKD_OPTS=” entry, and replaced “eth1” with the name of our network connection,?enp0s3. Of course, if your network connection is?eth1, you won’t change it.
我們還從“ KNOCKD_OPTS =”條目的開頭刪除了哈希號# ,并將“ eth1”替換為我們的網絡連接名稱enp0s3 。 當然,如果您的網絡連接是eth1 ,則不會更改它。
證明在布丁里 (The Proof Is in the Pudding)
It’s time to see if this works. We’ll start the knockd daemon with this command:
現在該看看是否可行。 我們將使用以下命令啟動knockd守護程序:
sudo systemctrl start knockd
Now, we’ll jump on another machine and try to connect. We installed the knockd tool on that computer, too, not because we want to set up port knocking, but because the knockd package provides another tool called knock. We’ll use this machine to fire in our secret sequence and do the knocking for us.
現在,我們將跳到另一臺機器上并嘗試進行連接。 我們也在該計算機上安裝了被knockd工具,不是因為我們想要設置端口敲除,而是因為被knock軟件包提供了另一種稱為力knockd工具。 我們將使用這臺機器按照我們的秘密順序開火,并為我們敲門。
Use the following command to send your secret sequence of connection requests to the ports on the port knocking host computer with the IP address 192.168.4.24:
使用以下命令將連接請求的秘密序列發送到IP地址為192.168.4.24的敲主機計算機上的端口:
knock 192.168.4.24 7000 8000 9000 -d 500
This tells knock to target the computer at IP address 192.168.4.24 and fire a connection request to ports 7000, 8000, and 9000, in turn, with a -d (delay) of 500 milliseconds between them.
這告訴knock將計算機定位到IP地址192.168.4.24,然后向端口7000、8000和9000發出連接請求,它們之間的-d (延遲)為500毫秒。
A user called “dave” then makes an SSH request to 192.168.4.24:
然后,名為“ dave”的用戶向192.168.4.24發出SSH請求:
ssh dave@192.168.4.24
His connection is accepted, he enters his password, and his remote session begins. His command prompt changes from dave@nostromo to dave@howtogeek. To log out of the remote computer, he types:
他的連接被接受,他輸入密碼,并且他的遠程會話開始。 他的命令提示符從dave@nostromo更改為dave@howtogeek 。 要注銷遠程計算機,他輸入:
exit
His command prompt returns to his local computer. He uses knock once more, and this time, it targets the ports in reverse order to close the SSH port on the remote computer.
他的命令提示符返回到他的本地計算機。 他再次使用knock ,這次,它以相反的順序瞄準端口,以關閉遠程計算機上的SSH端口。
knock 192.168.4.24 9000 8000 7000 -d 500
Admittedly, this wasn’t a particularly fruitful remote session, but it demonstrates the opening and closing of the port via port knocking and fits in a single screenshot.
誠然,這不是一個特別富有成果的遠程會話,但是它通過端口敲門演示了端口的打開和關閉,并且僅顯示在一個屏幕快照中。
So, what did this look like from the other side? The system administrator on the port knocking host uses the following command to view new entries that arrive in the system log:
那么,從另一端看,這是什么樣的呢? 端口終止主機上的系統管理員使用以下命令來查看到達系統日志的新條目:
tail -f /var/log/syslog
- You see three openSSH entries. These are raised as each port is targeted by the remote knock utility. 您會看到三個openSSH條目。 當遠程爆震實用程序將每個端口作為目標時,將引發這些錯誤。
When all three stages of the trigger sequence are met, an entry that says “OPEN SESAME,” is logged
當觸發序列的所有三個階段都滿足時,記錄為“ OPEN SESAME, ”的條目
The command to insert the rule into the
iptablesrules list is sent. It permits access via SSH on port 22 from the specific IP address of the PC that gave the correct secret knock (192.168.4.23).發送了將規則插入
iptables規則列表的命令。 它允許通過端口22上的SSH從提供正確密碼提示(192.168.4.23)的PC的特定IP地址訪問。- The user “dave” connects for a few seconds only, and then disconnects. 用戶“ dave”僅連接幾秒鐘,然后斷開連接。
- You see three closeSSH entries. These are raised as each port is targeted by the remote knock utility—it tells the port knocking host to close port 22. 您會看到三個closeSSH條目。 當遠程敲門實用程序將每個端口作為目標時,這些值會升高—告訴端口敲門主機關閉端口22。
- After all three stages are triggered, we get the “OPEN SESAME” message again. The command is sent to the firewall to remove the rule. (Why not “CLOSE SESAME” when it’s closing the port? Who knows?) 在所有三個階段都觸發之后,我們再次收到“ OPEN SESAME”消息。 該命令將發送到防火墻以刪除規則。 (為什么在關閉端口時不“ CLOSE SESAME”?誰知道?)
Now the only rule in the iptables rules list regarding port 22 is the one we typed at the beginning to close that port. So, port 22 is now closed again.
現在, iptables規則列表中關于端口22的唯一規則是我們在開始時鍵入的用于關閉該端口的規則。 因此,端口22現在再次關閉。
敲在頭上 (Knock It on the Head)
That’s port knocking’s parlor trick. Treat it as a diversion and don’t do it in the real world. Or, if you must, don’t rely on it as your only form of security.
那是敲門的客廳把戲。 將其視為轉移,不要在現實世界中使用。 或者,如果必須,請不要將其作為唯一的安全性形式。
翻譯自: https://www.howtogeek.com/442733/how-to-use-port-knocking-on-linux-and-why-you-shouldnt/
WebSphere的web工程中怎么獲取數據源)
