Loading ...
How to safely connect from anywhere to your closed Linux firewall
In general all the great ideas are the simple ones. Many times we see a great idea in practice and we wander why didn’t we thought of that before? It is just so simple… The first time I have seen the knockd project I liked it instantly. The idea is so simple, and though so effective. Knockd is a port-knocking application that silently runs on a server passively listening to network traffic. Once it will see a port sequence it has an action configured for it, it will run that action. We can see this as a remote control to our server: once we hit the right button it will take the appropriate action!
How does a port knocker work?
- we install the port knocker daemon on our server (knockd)
- we configure some port sequences (tcp, udp, or both), and the appropriate actions for each sequence.
- the knockd daemon will be running in the background, at low level passively on the network interface. It is completely stealth and it will not open any ports on the server.
- once it will see a port sequence it will run the configured action for the sequence.
To exemplify its power I will show a scenario with a server running a firewalled ssh port that allows connections only from one static management IP. All the IPs are private ones for the sake of the example. Using knockd we will be able to connect to the server from another location that would be normally blocked.
Installing knockd
First you will need to install the knockd daemon. See the project home page for the program sources (or rpm, and debs) that the author provides: http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki
On Debian (as my test server) we can just install it from the main debian repositories:
apt-get install knockdOur closed firewall setup: we will use a closed SSH setup that allows connections only from 192.168.0.100 to our server. The respective iptables rules look like:
iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.168.0.100 0.0.0.0/0 tcp dpt:22
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22These iptables rules will allow me to connect to the server from my management station using ssh, but will drop any other ssh connection. Now if I need to connect to the server from another location I have a problem… what choices do I have? (besides knockd of course):
- either ask someone to disable the firewall from the console (sucks) or add my IP to the allowed rules (better, but what if there is no one to help me with this?)
- either I have some way to connect to my management station from my location (let’s say I don’t).
So you see how useful knockd can be in this situation… if I had configured my knockd daemon with the following rules (I will use the default port sequence for this example; you should never use this sequence, and choose your own port sequence):
/etc/knockd.conf:
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 5
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 5
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = synIn this case I can just send the port sequence (I will be using the knock client). You can send knocks to the server using other tools like: netcat, sendip, packit, hping or even telnet.
knock -v 192.168.0.102 7000 8000 9000This has added the rule that will allow me to connect to the server from my current location using the configured iptables rule from above:
iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.168.0.103 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 192.168.0.100 0.0.0.0/0 tcp dpt:22
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22Now I can safely connect to the server using ssh from my location (192.168.0.103). Once I am finished I will send the knock to close the whole in the firewall, and return to my original rules:
knock -v 192.168.0.102 9000 8000 7000Automatically close rules:
If our firewall rules permit this approach we can automatically close the holes opened in the firewall. This can be useful because we might forget to send the closing knock, and leave the rules open in the firewall. Now in order to use this our firewall needs to allow established ssh connections and only block new (syn) ssh connections.
For example our ssh related iptables rules might look like this:
iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state ESTABLISHED
ACCEPT tcp -- 192.168.0.100 0.0.0.0/0 tcp dpt:22
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22Our knockd configurations looks like:
/etc/knockd.conf:In this case once we send the sequence we will have 25 seconds to establish our ssh connection. After that the rule will be deleted.
[opencloseSSH]
sequence = 7000,8000,9000
seq_timeout = 5
tcpflags = syn,ack
start_command = /usr/sbin/iptables -I INPUT -s %IP% -p tcp –syn –dport 22 -j ACCEPT
cmd_timeout = 25
stop_command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp –syn –dport 22 -j ACCEPT
Security implications
The knockd daemon runs passively listening to network traffic without opening any network ports. Even though it is practically impossible to an attacker to see that we are running knockd on the server, and try to guess the knock sequences we have configured, here are some general common sense security rules:
- NEVER use default sequences. I have included in my example for this reason the default 7000,8000,9000 sequence to not create another default pattern. Choose your own port sequences.
- Use at least 3 ports in the sequence. If you are paranoic you can use as many ports as you like.
- Mix tcp ports (default, if you do not specify the protocol) with udp ports: 9000:tcp,8000:udp,7000:tcp
Even if someone might hit by mistake the configured sequences try to prevent any damage: choose proper timeouts for running the command, use strong passwords, etc.
Other usages: port knocking is not limited to firewall rules as I have exemplified above. You can use it to run any command you might need. Just keep in mind the security implications for each of your defined port sequences (like there is a big difference if someone will hit by mistake a sequence that opens the ssh port for 25 seconds - that will still require to have a proper user and password, and for example a command that will reboot the server - that will start the command once seen the sequence).
I hope that you found this information useful and it will help you make your improve the security of your server (you can close those ports you left open because you were roaming and use port knocking to safely connect to your server).
Note: the project page (and the default installed config file) contain references to add the iptables rules with -A. As you can see in my setup this would have been useless (it would have added the rule after the DROP rule, thus doing nothing), so I have used the -I switch (that will insert the iptables rule at the beginning of the firewall rules):
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPTAlso you in case you are using a different chain for ssh traffic in your iptables rules (like most peoples will probably do) you will want to change the commands to fit your setup.
References:
http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki
Share This
5th July 2006, 21:38
[...] The idea is so simple, and though so effective. Knockd is a port-knocking application that silently runs on a server passively listening to network traffic. Once it will see a port sequence it has an action configured for it, it will run that action. Once we hit the right button it will take the appropriate action!read more | digg story 12:44 pm | [...]
5th July 2006, 21:59
great info - I’m going to try this out.
thanks!
5th July 2006, 22:56
[...] The idea is so simple, and though so effective. Knockd is a port-knocking application that silently runs on a server passively listening to network traffic. Once it will see a port sequence it has an action configured for it, it will run that action. Once we hit the right button it will take the appropriate action!read more | digg story [...]
5th July 2006, 23:04
Keep in mind, though, that this *is* vulnerable to observation attacks. You can configure a set of 25 ports mixing udp and tcp connections and no port scanner will ever hit it by accident. However, anyone who is able to intercept your traffic when you use your knock sequence *will* be able to determine your secret knock — unlike, say, ssh, which has strong protection against man-in-the-middle attacks sniffing passwords. knockd is quite useful, but you have to remember its limitations.
6th July 2006, 00:07
Michael,
You are correct and thanks for pointing that out. I have tried to outline the security implications while using knockd, but I have missed that point. Still the sniffing will no be so easy as sniffing a telnet or other clear text password application (as there exist many programs that will listen for passwords on common protocols). Probably the person that will sniff this will have to see a high amount of regular traffic hitting the server and find inside that traffic the knock sequence…
Anyway the idea is clear and correct… this can be sniffed by a host that sits between the server and the sender of the knocker.
Thanks,
- Marius -
6th July 2006, 00:47
[...] The idea is so simple, and though so effective. Knockd is a port-knocking application that silently runs on a server passively listening to network traffic. Once it will see a port sequence it has an action configured for it, it will run that action. Once we hit the right button it will take the appropriate action!read more | digg story [...]
6th July 2006, 01:16
You know what would be even cooler? if, for example, once an SSH session is established, having a way to automatically change the knock sequence, so if the scenario the Michael mentioned where someone intercepts the knock signal does occur, that knock sequence would be useless to them anyway because it would have randomly changed. If you encrypt the new knock sequence somehow using a pre-configured one-time pad or something similar, then it would be even more secure. You could even use a knock to send an encrypted version of a new knock, which the server would then listen for, and then change that second knock, similar to a two-way handshake. I can think of 1000’s of good ways to stop a standard man-in-the-middle attack on this. Overall, it’s a really slick way to run a firewall.
6th July 2006, 01:59
[...] The article here: http://www.ducea.com/2006/07/05/how-to-safely-connect-from-anywhere-to-your-closed-linux-firewall/ [...]
6th July 2006, 02:01
Good article, but it should be noted that Port knocking suffers from several problems:
1) Difficult to solve the replay problem.
2) Cannot transfer a reasonable amount of data. This precludes the use of asymmetric ciphers that have larger key sizes than block ciphers such as Rijndael.
3) Knocking sequences appear like port scans to any intermediate IDS.
4) Extremely easy for an attacker to bust knock sequences just by connecting to spurious ports using a spoofed source address equivalent to the real source of a knock sequence.
A better solution is called Single Packet Authorization (SPA) which retains all of the benefits of port knocking (service protection behind a default-drop packet filter), and solves all of the above problems:
http://www.cipherdyne.org/fwknop/
Fwknop is even compatible with GnuPG keys.
Here is a paper on why SPA is better than port knocking:
http://www.cipherdyne.org/fwknop/docs/SPA.html
6th July 2006, 03:08
Michael,
Thanks for your comment. Your software looks very interesting and I will give it a try (and maybe write some conclusions after that, linked to this post) with the first occasion when I have some spare time.
Cheers,
- Marius -
6th July 2006, 03:28
[...] read more | digg story [...]
6th July 2006, 05:52
cool idea to change the knock sequence automatically!
6th July 2006, 19:22
[...] I found this article on digg.com yesterday. A good little read on how to use my port knocker to take over the world (or just hide your own backdoor in your server). Same thing. Filed under: Tech | [...]
6th July 2006, 19:30
knockd supports a one-time-sequences setup, where the activation knock sequence will be rotated through a list of known sequences until the list is exhausted. The idea being that the admin can setup this list of sequences and keep a copy with him/her without having to worry about an intruder using a replay attack.
See the one_time_sequences configuration directive on the knockd page.
7th July 2006, 00:23
[...] How to safely connect from anywhere to your closed Linux firewall (tags: sysadmin firewall security iptables linux) [...]
7th July 2006, 00:24
[...] How to safely connect from anywhere to your closed Linux firewall | MDLog:/sysadmin (tags: ssh security firewall) [...]
7th July 2006, 02:12
[...] (more…) [...]
7th July 2006, 13:08
Security thru obscurity. Not good.
7th July 2006, 18:01
> security thru obscurity. Not good.
Oh, you mean like passwords?
MWM
8th July 2006, 17:48
[...] http://www.ducea.com/2006/07/05/how-to-safely-connect-from-anywhere-to-your-closed-linux-firewall/ [...]
10th July 2006, 00:37
[...] The idea is so simple, and though so effective. Knockd is a port-knocking application that silently runs on a server passively listening to network traffic. Once it will see a port sequence it has an action configured for it, it will run that action. Once we hit the right button it will take the appropriate action!read more | digg story [...]
11th July 2006, 09:58
[...] http://www.ducea.com/2006/07/05/how-to-safely-connect-from-anywhere-to-your-closed-linux-firewall/ [...]
11th July 2006, 23:32
[...] read more | digg story [...]
12th July 2006, 00:35
Awesome howto. I am going to try this out when I get my Linux box back up and running (I just moved so it’s in a box).
Thanks!
13th July 2006, 20:19
[...] De casualidad buscando información acerca de implementaciones de esta técnica me encontré con un tutorial para poner en marcha knockd, un demonio que nos ayuda a implementar esta técnica de port knocking en nuestros servidores. Espero que os sirva. [...]
16th July 2006, 20:48
It seems risky and not suitable for production purposes. The heuristic of the “security” (through obscurity, as someone noted) is unacceptable to me.
But great article, otherwise!
26th July 2006, 14:04
[...] read more | digg story [...]
26th July 2006, 14:55
This just gives you false sense of security and thus it is dangerous.
30th July 2006, 12:15
Anyone who thinks this is security through obscurity apparently doesn’t understand the port knocking concept nor basic security rules.
The idea is that you use knockd (or similar software) as an EXTRA LAYER of security.
When configuring your setup, especially your server tools like ssh, assume that knockd is not installed. Port knocking is merely an extra protection layer. It is not a stand alone security solution. Nor should it be.
1st September 2006, 12:45
[...] The idea is so simple, and though so effective. Knockd is a port-knocking application that silently runs on a server passively listening to network traffic. Once it will see a port sequence it has an action configured for it, it will run that action. Once we hit the right button it will take the appropriate action!read more | digg story [...]
30th December 2006, 13:56
sounds like a safe. you dail 5647,3456,2746 and the safe show all his nice secrets.
but remember: http://web.mit.edu/kvogt/www/safecracker.html
23rd January 2007, 02:47
[...] In this example, Marius uses knockd to modify his iptables when he pings ports 7000, 8000, and 9000 in sequence. The modification involves adding the IP address that the pings came from to allow that IP to SSH into the system. When he’s done, he pings the ports in reverse order and knockd then removes that IP’s access. This allows him to keep his box secure by not allowing anyone except a single internal IP to SSH in except for the brief period of time when he uses knockd to change that. Bloody brilliant. [...]
5th November 2007, 10:34
iam thinking… maybe you need linux system to enter… What occurs if the is a windows or something other operating system…?
thanks
I will try out this
17th November 2007, 13:09
[...] read more | digg story [...]
29th November 2007, 21:40
I use it, as some has stated, as an EXTRA layer of security for production servers. I have locked SSH, and to open it I have to do the knockd-sequence to at all open SSH. Thus - it is not “false security” - it is extra. I change the sequence at random, but since I still believe in SSH-security, I wouldn’t quite mind if someone sniffs it either. It’s like using greylisting at an smtp gateway - it is not security I use it for, but nmap-scanners can’t see my SSH port at all. And that means that maybe I have saved a few nasty OpenSSH-bugs. Only time will tell.
20th January 2008, 00:03
[...] has written a tutorial if you are interested in implementing port knocking. Tags: Linux, Networking, Open source, Port knocking, Security Like this post? Subscibe [...]
18th May 2008, 08:08
[...] of packets (from this host). For example SYN packet on ports 1000, 2000, 3000, 4000. More on: http://www.ducea.com/2006/07/05/how-to-safely-connect-from-anywhere-to-your-closed-linux-firewall/ Package is included in Debian, work very well. Not recommended on weak machines with lots of [...]
29th May 2008, 20:19
[...] [Link ] [...]