Port Knocking (Raspberry Pi)

What is it?

Port knocking works by configuring a service to watch an interfaces for connection attempts. If a specific sequence of predefined connection attempts (or “knocks”) are made, the service will modify the firewall rules and open up connections on a specific port.

This is useful for services meant to be used only by known, legitimate users, like SSH.

Server Setup on Pi

Insure you have a firewall installed (UFW = Uncomplicated Firewall)

sudo apt install ufw
sudo ufw enable

and deny SSH

sudo ufw deny 22

sudo apt-get update
sudo apt-get install knockd
sudo nano /etc/default/knockd
# control if we start knockd at init or not
# 1 = start
# anything else = don't start
# PLEASE EDIT /etc/knockd.conf BEFORE ENABLING
START_KNOCKD=1

# command line options
KNOCKD_OPTS="-i wlan0"
sudo nano /etc/knockd.conf
[options]
        UseSyslog

[openSSH]
        sequence    = 7000,8000,9000
        seq_timeout = 5
        command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn

[closeSSH]
        sequence    = 9000,8000,7000
        seq_timeout = 5
        command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn

For Seeing the output while testing

sudo service knockd stop
sudo knockd -D -v

To see if the rule was applied, from another console

sudo iptables-save

For normal operation

The raspberry Pi *should* auto start the knockd service at startup, however, I found it didn’t and needed to add these steps:

sudo nano /lib/systemd/system/knockd.service

Edit the file as follows:

[Unit]
Description=Port-Knock Daemon
After=network.online.target
Wants=network.online.target
Before=sshd.service
Documentation=man:knockd(1)

[Service]
EnvironmentFile=-/etc/default/knockd
ExecStart=/usr/sbin/knockd $KNOCKD_OPTS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=mixed
SuccessExitStatus=0 2 15
ProtectSystem=full
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN

[Install]
WantedBy=multi-user.target
Alias=knockd.service

Tell it to start knockd at startup:

systemctl enable knockd.service

Finally start the service

sudo service knockd start

Client Applications (The Knocker)

OS Application
OSX KnockIt!
Windows
Android Port Knocker
Advertisements

SuperPET with 6809 emulation using VICE

I learned how to program originally on a SuperPET using Waterloo APL, now you can torture yourself as well:
 
xpet +sound -truedrive -superpet -cpu6809
-model SuperPET -drive8type 8050 -drive9type 8050 -drive10type 8050 -drive11type 8050
-8 DISKS\os9-systemdisk.d80
-9 DISKS\sp9000lang.d80
-10 DISKS\sp9000tut.d80
 
Important Tip: You *must* have the OS9 disk in drive 8.
 
Additional Docs: