root@knockd:~# vim /etc/default/knockd # control if we start knockd at init or not# 1 = start# anything else = don't start# PLEASE EDIT /etc/knockd.conf BEFORE ENABLINGSTART_KNOCKD=1# command line optionsKNOCKD_OPTS="-i ens192"'找到行START_KNOCKD=0 。取消注释,并将值设置为 1。接下来,转到取消KNOCKD_OPTS="-i eth1"注释行,并将默认值替换为系统的活动网络接口'
启动knockd
root@knockd:~# systemctl enable knockd --now
Synchronizing state of knockd.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable knockd
Created symlink /etc/systemd/system/multi-user.target.wants/knockd.service -> /lib/systemd/system/knockd.service.
root@knockd:~# ps -ef| grep knockd
root 11960771016:02 ? 00:00:00 /usr/sbin/knockd -i ens192
root 11961411195411016:02 pts/0 00:00:00 grep knockd
添加拒绝SSH连接的规则
root@knockd:~# iptables -A INPUT -p tcp --dport 22 -j DROP'别忘了永久保存'
使用端口敲门
测试端口是否开启
PS C:\Users\rouge> nmap -sV-sT192.168.33.37 -p22
Starting Nmap 7.95( https://nmap.org ) at 2024-07-01 16:36 中国标准时间
Nmap scan report for192.168.33.37
Host is up (0.0010s latency).
PORT STATE SERVICE VERSION
22/tcp filtered ssh
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1host up) scanned in6.48 seconds
使用
root@test:~# ssh root@192.168.33.37
ssh: connect to host192.168.33.37 port 22: Connection timed out
'要想登录就要先敲门,输入正确的敲门端口序列,如下:'
root@test:~# knock 192.168.33.37 7000 8000 9000
root@test:~# ssh root@192.168.33.37
The authenticity of host'192.168.33.37 (192.168.33.37)' can't be established.
ED25519 key fingerprint is SHA256:LF63DoFSFTFTJGAWsvFvWWc59LFSPNWx818HQpMjYwg.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.33.37' (ED25519) to the list of known hosts.
root@192.168.33.37's password:
Linux knockd 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jul 2 01:23:46 2024 from 192.168.5.44
root@knockd:~# '成功敲门后,SSH端口就处于开放中,这时,我们就可以通过SSH登录到服务器''其他服务器服务器想登录该服务器,要先进行敲门才能正常访问SSH端口。当客户端正确敲门后,服务端会在防火墙插入一条策略。可使用iptables -查看'