Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Port Knocking configuration using OpenBSD with knockd on SSH
# Port Knocking configuration using OpenBSD with knockd on SSH
#! DISCLAIMER !
# OpenBSD isn't an OS for Unix novices, thus I will omit deep details and just make some assumptions about your configuration
# Port Knocking, despite being a known network stealthing technique, was implemented essentially for Linux, I made a reliable, stable and portable configuration for OpenBSD (might also work for FreeBSD)
# install
export PKG_PATH=http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64/
pkg_add autoconf
pkg_add automake
export AUTOCONF_VERSION=2.69
export AUTOMAKE_VERSION=1.14
git clone https://github.com/jvinet/knock
compile
/sbin/knockd -i re0 -c /usr/local/etc/knockd.conf
# Packet Filter
/etc/pf.conf:
block all
pass out
# Port Knocking
/usr/local/etc/knockd.conf:
[options]
logfile = /var/log/knockd.log
[opencloseSSH]
sequence = 443:tcp, 80:tcp
# ports of HTTPS and HTTP are selected because, they are less likely to be filtered if you're behind a restrictive firewall and can be done by a web browser whereas
port scanners won't have such behavior, but you're still encouraged to change them if you desire so
seq_timeout = 1
tcpflags = syn
start_command = /bin/echo 'pass in on re0 proto tcp from %IP% to re0:0 port 22' >> /etc/pf.conf && /sbin/pfctl -f /etc/pf.conf
cmd_timeout = 10
stop_command = /usr/bin/sed -i '$ d' /etc/pf.conf && /sbin/pfctl -f /etc/pf.conf
# this will open SSH port on interface re0 for 10 seconds which will allow you to connect and since, PF is a state-full firewall, it won't block already established connection
# note that it is a mistake to think that I reload all of PF rules, this is true for Netfilter (iptables), but PF will change the rules in a smart manner
# connecting from your PC
sudo aptitude install knock || yaourt knock || echo 'you know what to do'
knock $IP 443 80
ssh $IP
# I advise to repeat it few times in order to avoid network delays and lost packets in some circumstances
# alternatively, you can also use your web browser or wget
firefox https://$IP || wget https://$IP
firefox http://$IP || wget http://$IP
ssh $IP
@SubZr0
Copy link

SubZr0 commented Jul 19, 2017

Hi,

make gives my trouble:

bash-4.4# make
make all-am
make: don't know how to make doc/knock.1 (prerequisite of: all-am)

any thoughts?

bash-4.4# uname -a
OpenBSD knockd.demo.local 6.1 GENERIC.MP#20 amd64
bash-4.4#

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment