Port knocking

To open a service on demand in firewall rule based on a sequence of ports to be “knocked”. When a sequence of “knock” is valid, command will be executed to open the port within the firewall rule. A sequence of “knocks” will be performed again to “close” the port in the firewall rule. You need a firewall and knock daemon to perform this feature.

The purpose is to “filter” the service by a firewall when you do not use the service.

Simple stateful firewall
A simple firewall rule is configured to perform this demonstration.

#The default policy for incoming packet is ACCEPT, change to DROP.
sudo iptables -P INPUT DROP

#Incoming packet will be inspected for sync+ack and established TCP connection.
#NEW TCP connection cannot be established from ingress interface of the firewall.
#Default egress interface of the firewall is to accept, hence there is no need to change
#the policy of OUTPUT chain.
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

sudo apt-get install knockd to install knock daemon.

The configuration is in the path /etc/knock.conf. There is a default OpenSSH sequence which is 7000,8000,9000, when this sequence of knocks is valid a command will be executed to open the service port 22 in the firewall rule. The command line can be modified to suit your needs.

To request for ssh connection the client needs to “knock” the sequence.

root@bt:~# knock -v 7000 8000 9000
hitting tcp
hitting tcp
hitting tcp

root@bt:~# ssh -l cyruslab
cyruslab@'s password: 
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Mon Nov  5 16:11:03 SGT 2012

  System load:  0.0               Processes:           72
  Usage of /:   3.4% of 47.90GB   Users logged in:     1
  Memory usage: 8%                IP address for eth0:
  Swap usage:   0%

  Graph this data and manage this system at https://landscape.canonical.com/

Last login: Mon Nov  5 15:42:37 2012 from BT:~$ 

The firewall rule would look like this once the valid sequence is knocked.

cyruslab@TEST-SERVER:~$ sudo iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  bt.local             anywhere             tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

As can be seen, port ssh is opened for bt.local in the firewall rule.

To close the SSH service from the firewall:

root@bt:~# knock 9000 8000 7000 -v
hitting tcp
hitting tcp
hitting tcp

Executing the above knock sequence will remove rule that allowed bt.local to connect to ssh service.

The vulnerability is that the knocking sequence is in cleartext which has no protection against eavesdropping with man-in-the-middle attack.

Reference: Port knocking


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s