芝麻开门…

测试环境:CentOS7.4

在服务器上安装knockd

yum install -y rpm-build gcc libpcap-devel
curl -OL http://www.invoca.ch/pub/packages/knock/RPMS/ils-7/SRPMS/knock-0.7-1.el7.src.rpm
rpmbuild --rebuild knock-0.7-1.el7.src.rpm
rpm -ivh /root/rpmbuild/RPMS/x86_64/knock-*

配置knockd

vi /etc/knockd.conf
参考配置

[options]
        UseSyslog
        logfile = /var/log/knockd.log
[openSSH]
        sequence    = 6666,7777,8888
        seq_timeout = 15
        command     = /bin/firewall-cmd --zone=public --add-rich-rule="rule family="ipv4" source address="%IP%" service name="ssh" accept"
        tcpflags    = syn

[closeSSH]
        sequence    = 8888,7777,6666
        seq_timeout = 15
        command     =/bin/firewall-cmd --zone=public --remove-rich-rule="rule family="ipv4" source address="%IP%" service name="ssh" accept"
        tcpflags    = syn

[openSSH]为例,用TCP依次连接服务器sequence列出的端口就会执行command的命令,该命令表示对发起该TCP连接的IP地址开放SSH服务,从而达到芝麻开门的效果

调试

服务器运行knockd -D -c /etc/knockd.conf
本地安装knock并运行knock -v IP 6666 7777 8888
其中IP要换成服务器的IP地址
检查服务器日志是否输出相关连接请求信息,确认无误后,执行以下命令:

/etc/init.d/knockd start
chkconfig knockd on
firewall-cmd --zone=public --remove-service=ssh

如果十分有把握,firewall-cmd命令可加参数--permanent。不加的话可以重启服务器以恢复SSH服务开放,以防万一。