Hello,
OS: SLES 15 SP 4, Knockd version: knockd-0.8-bp154.1.30.x86_64
Knockd service is configured for ssh. But when I run the close sequence to close the ssh port via firewalld, it didnt work, i.e ssh port remains open, as could be verified by the below output:
node2(192.168.164.136) is the knockd and ssh server, whereas ‘localhost’(192.168.164.137) is the client.
localhost:~ # date
Thu Jun 8 18:12:25 PKT 2023
localhost:~ # ssh node2
ssh: connect to host node2 port 22: No route to host
since ssh port is blocked by firewalld, hence connection refused, which is obvious/fine.
Now knocking the ports to open ssh:
localhost:~ # knock node2 2222 3333 4444
now ssh connection should be successfull
localhost:~ # ssh node2
Password:
Last login: Thu Jun 8 17:58:16 2023 from 192.168.164.137
enode2:~ # exit
logout
Connection to node2 closed.
Till now working just fine. But when I try to close the ports, it does not work.
localhost:~ # knock node2 5555 6666 7777
Still I can connect to ssh server(which shouldnt, as I knocked the ports to close the ssh connection)
localhost:~ # ssh node2
Password:
Last login: Thu Jun 8 18:12:45 2023 from 192.168.164.137
node2:~ #
Below is the ‘knockd -D’ output from the node2(ssh server)while I was connecting the ssh server:
2023-05-08 18:12:42: tcp: 192.168.164.137:53378 → 192.168.164.136:2222 74 bytes
removing successful knock attempt (192.168.164.137)
2023-05-08 18:12:42: tcp: 192.168.164.137:42502 → 192.168.164.136:3333 74 bytes
2023-05-08 18:12:42: tcp: 192.168.164.137:43246 → 192.168.164.136:4444 74 bytes
success
2023-05-08 18:12:57: tcp: 192.168.164.137:49636 → 192.168.164.136:5555 74 bytes
removing successful knock attempt (192.168.164.137)
2023-05-08 18:12:57: tcp: 192.168.164.137:46800 → 192.168.164.136:6666 74 bytes
2023-05-08 18:12:57: tcp: 192.168.164.137:59102 → 192.168.164.136:7777 74 bytes
Error: INVALID_RULE: no action, no log, no audit
closeSSH: command returned non-zero status code (122)
2023-05-08 18:13:12: tcp: 192.168.164.137:49638 → 192.168.164.136:5555 74 bytes
removing successful knock attempt (192.168.164.137)
2023-05-08 18:13:12: tcp: 192.168.164.137:46802 → 192.168.164.136:6666 74 bytes
2023-05-08 18:13:12: tcp: 192.168.164.137:59104 → 192.168.164.136:7777 74 bytes
Error: INVALID_RULE: no action, no log, no audit
closeSSH: command returned non-zero status code (122)
Knockd configuration:
node2:~ # cat /etc/knockd.conf
[options]
UseSyslog
logfile = /var/log/knockd.log[openSSH]
sequence = 2222:tcp,3333:tcp,4444:tcp
seq_timeout = 15
tcpflags = syn
command = /usr/bin/firewall-cmd --zone=public --add-rich-rule=“rule family=“ipv4” source address=”%IP%" service name=“ssh” accept"[closeSSH]
sequence = 5555:tcp,6666:tcp,7777:tcp
seq_timeout = 15
tcpflags = syn
command = /usr/bin/firewall-cmd --zone=public --remove-rich-rule=“rule family=“ipv4” source address=”%IP%" service name=“ssh” accept"
Firewall configuration:
node2:~ # firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Please help, suggest.