Configure the port knocking server (knockd)?

Question

I'm trying to configure port knocking on my RasPI running Raspbmc, using knockd.

Here's what I've done:

sudo apt-get update
sudo apt-get install knockd

...then edited the files:

/etc/default/knockd :

# PLEASE EDIT /etc/knockd.conf BEFORE ENABLING
START_KNOCKD=1

/etc/knockd.conf:

[options]
        logfile = /var/log/knockd.log

[open_close-PPTP_VPN]
        sequence      = 3141,5926,5359
        seq_timeout   = 10
        tcpflags      = syn,ack
        start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 1723 -j ACCEPT
        cmd_timeout   = 45
        stop_command  = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 1723 -j ACCEPT

then start the daemon:

sudo service knockd restart

Check it's up:

ps aux |grep knoc

=>

root     12560  0.0  1.1   6028  4424 ?        Ss   02:55   0:00 /usr/sbin/knockd -d
pi       12877  0.0  0.1   1972   612 pts/1    S+   02:57   0:00 grep knoc

Capture packets to see what's happening on the wire.

sudo tcpdump 'src 211.212.77.33 and portrange 3000-6000 and tcp' -nn

Now test (from an Android Phone, using 3G data and app Port Knocker) - here's the output (192.168.1.31 is the IP of RasPi).

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
02:56:15.244087 IP 211.212.77.33.55399 > 192.168.1.31.3141: Flags [S], seq 3126604301, win 14600, options [mss 1460,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 3], length 0
02:56:15.528594 IP 211.212.77.33.55405 > 192.168.1.31.5926: Flags [S], seq 2477232254, win 14600, options [mss 1460,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 3], length 0
02:56:15.824344 IP 211.212.77.33.55408 > 192.168.1.31.5359: Flags [S], seq 154955077, win 14600, options [mss 1460,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 3], length 0

Nice and dandy, 3 TCP packets, each about 300 ms apart, on the correct ports.

... but watch iptables -L -n shows no changes in the iptables config.

Also, there's nothing in the knockd log file except the 'server started message'.

It appears the knockd server either doesn't receive the packets, or fails to recognize them...

I even tried the 'start command' touch /tmp/knock.txt but of course, the file failed to make an appearance.

Any suggestions?

Answer 1

Cracked it.

TLDR: Use this line:

tcpflags      = syn

instead of this :

tcpflags      = syn,ack

Long story:

I found it useful when debugging to run the knockd daemon in interactive mode:

sudo service knockd stop
sudo knockd -D -v

This way the daemon runs in the foreground and prints its configuration and then real-time status messages.

I then tried port-knocking from the mobile phone. Packets got through (verified with tcpdump) but no response from knockd.

As suggested by @lenik in a comment, I editied /etc/knockd.conf and commented out the tcpflags line.

Insert another coin... (restart the knockd daemon...) and success! Status update messages started coming in!

Apparently, the config line:

tcpflags      = syn,ack

...means: "only look at packets that have BOTH the SYN and the ACK flags set"! which, while technically possible, is unlikely to happen.

In my tests, I found from the tcpdump output that the actual knock packets (with flag SYN) were shortly (1-2 sec) followed by an equal number of packets, using the same destination ports, but with the RST flag set - sometimes, but not always, in the same order.

This sometimes created duplicated entries in the iptables rules.

In the end, what worked for me was:

tcpflags      = syn

I assume the following would also work (didn't test):

tcpflags      = syn,!rst

Now if I could only figure out why Vodafone Romania is blocking the PPTP port on their 3G plan...

Answer 2

start_command = sudo /sbin/iptables -I INPUT -s %IP% -p tcp --dport 1723 -j ACCEPT

where the sudo password is coming from? since this command is supposed to be issued by daemon, you'd better replace it with (no sudo):

start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 1723 -j ACCEPT