# Port knocking with knockd - nothing happend... [Closed]

## ronenb75

Hi,

Ive been trying to use port knocking with no luck so far.

Im using knockd.

My /etc/knockd.conf:

```

[options]

        logfile = /var/log/knockd.log

[openSSH]

              sequence    = 6000

              seq_timeout = 500

              command     = /sbin/iptables -A INPUT -s 10.0.0.1 -j ACCEPT

```

(just for testing purpose)

Running knockd (as root):

```

knockd -i eth0 -v -D

```

Getting this:

```

config: new section: 'options'

config: log file: /var/log/knockd.log

config: new section: 'openSSH'

config: openSSH: sequence: 6000:tcp

config: openSSH: protocol: (null)

config: openSSH: seq_timeout: 500

config: openSSH: start_command: /sbin/iptables -A INPUT -s 10.0.0.1 -j ACCEPT

ethernet interface detected

listening on eth0...

----snipp -----

192.168.0.10: openSSH: Stage 1

removing successful knock attempt (192.168.0.10)

----snipp -----

```

But nothing add to the iptables rule list.

Any ideas why?

What does the "removing successful knock attempt" means?

----------

## ronenb75

I don't know what was happening, I've just upgraded to the masked knockd-0.4 and played around with the configuration file - and it's working just fine....  :Rolling Eyes: 

----------

## luigi6699

Im having a very similar problem!  Even in debug mode, my knockd doesn't flinch when I knock.  Verbose utput as follows:

```

config: new section: 'options'

config: log file: /var/log/knockd.log

config: interface: eth1

config: new section: 'openwiki'

config: openwiki: sequence: 4240:udp,8448:udp,9052:udp

config: openwiki: seq_timeout: 5

config: openwiki: start_command: /sbin/iptables -A INPUT -i eth1 -s %IP% -p tcp --dport 80 -j ACCEPT

config: new section: 'closewiki'

config: closewiki: sequence: 9052:tcp,8448:tcp,4240:tcp

config: closewiki: seq_timeout: 5

config: closewiki: start_command: /sbin/iptables -D INPUT -i eth1 -s %IP% -p tcp --dport 80 -j ACCEPT

config: tcp flag: SYN

ethernet interface detected

Local IP: 24.83.235.86

listening on eth1...

```

and it just waits there until I kill it with ctrl+C.  That's the same output I get in logs.

knockd.conf:

```

[options]

        logfile = /var/log/knockd.log

        interface = eth1

[openwiki]

        sequence    = 4240,8448,9052

        seq_timeout = 5

        command     = /sbin/iptables -A INPUT -i eth1 -s %IP% -p tcp --dport 80 -j ACCEPT

[closewiki]

        sequence    = 9052,8448,4240

        seq_timeout = 5

        command     = /sbin/iptables -D INPUT -i eth1 -s %IP% -p tcp --dport 80 -j ACCEPT

```

Other points of note: I'm using 2005.0, the latest rc.firewall script from http://projectfiles.com/firewall/ with NAT enabled, and tcpwrappers.  I've commented out everything in hosts.deny for testing purposes.I've tried using udp, to no avail.  I'm using the win32 client for knock, which appears to function perfectly.

Any suggestions???[/code]

----------

## ronenb75

Well,

It look's like you've done it all o.k.

For me, I found out that the problem was that I was using the knocking along with ssh session connected - with leads to packets in between the knock sequence - not too smart....

When I closed the ssh session and the only thing come to my FW machine for specified IP was the knock packets - the door has opened.

Another thing - I've tried to use UDP but it seemed not to work for me - only TCP. Maybe it was before I've picked-up the ssh thing...

BTW, I'm not using the Firewall script - I've sone all the FW by myself. So I donno exactly what the script does and what are the impacts.

Try ruuning kncokd with both -v -D switches, this is much verbose but you could see if somthing is happening.

----------

## luigi6699

You were right!  It was because I had an SSH shell open.  Boy am I clever... jeez.  Thanks for the help!

----------

## ronenb75

Take comfort that you're not the only dumb.....

I look it up for few days until I realized I'm using SSH on that machine....

Help I could help  :Embarassed: 

----------

## Tightwork

Even though I am connected to my knockd machine via ssh, shouldent I still see somthing in the log when I knock?

----------

## luigi6699

the portknock daemon listens for hits on a set of ports IN SEQUENCE.  If there is traffic in between the hits, that is not in sequence.

For instance, if my daemon is listening for the port sequence 5996 2044 2060, it will NOT respond to 5996 22 22 2044 22 22 22 2060 .  All those "22"s ruin the sequence... when you have an ssh connection open to the server at the same time as you are knocking, that's exactly what the port hits will look like.

I'm not sure how it works with connections to other IPs - for instance, what if someone else is ssh'ed into the server while I am knocking?  Or two people knocking at the same time?  UDP doesn't include IP information, so knockd can't tell the difference between us, right?  Maybe it looks for the same originating mac address.

----------

## tuxmin

Wait, wait, you mix it all up. UDP actually belongs to the IP protocol suite, hence it is encasulated in an IP frame!

Look here for details.

As for the MAC addresses, these are normally the same from knockd's point of view as the originating address is always that of the next hop router.

So my guess is that knockd at least should be that smart that it pins a sequence to the originating IP address, otherwise it should be rather difficult to get the sequence right on a high traffic system.

Hth, Alex!!!

----------

## ronenb75

As you were saying: the knock deamon listen to sequnce from specific IP, which means that can get or send packets to other IP without ruin the seqence.

I never tried to knock from more than oe IP at once, but as much as I could see - this is not a problem, it can get several knocks at once, from differnt IP's without confusing....

----------

