To open a service on demand in firewall rule based on a sequence of ports to be “knocked”. When a sequence of “knock” is valid, command will be executed to open the port within the firewall rule. A sequence of “knocks” will be performed again to “close” the port in the firewall rule. You need a firewall and knock daemon to perform this feature.
The purpose is to “filter” the service by a firewall when you do not use the service.
Simple stateful firewall
A simple firewall rule is configured to perform this demonstration.
#The default policy for incoming packet is ACCEPT, change to DROP. sudo iptables -P INPUT DROP #Incoming packet will be inspected for sync+ack and established TCP connection. #NEW TCP connection cannot be established from ingress interface of the firewall. #Default egress interface of the firewall is to accept, hence there is no need to change #the policy of OUTPUT chain. sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo apt-get install knockd to install knock daemon.
The configuration is in the path
/etc/knock.conf. There is a default OpenSSH sequence which is 7000,8000,9000, when this sequence of knocks is valid a command will be executed to open the service port 22 in the firewall rule. The command line can be modified to suit your needs.
To request for ssh connection the client needs to “knock” the sequence.
root@bt:~# knock -v 192.168.1.133 7000 8000 9000 hitting tcp 192.168.1.133:7000 hitting tcp 192.168.1.133:8000 hitting tcp 192.168.1.133:9000 root@bt:~# root@bt:~# ssh -l cyruslab 192.168.1.133 firstname.lastname@example.org's password: Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686) * Documentation: https://help.ubuntu.com/ System information as of Mon Nov 5 16:11:03 SGT 2012 System load: 0.0 Processes: 72 Usage of /: 3.4% of 47.90GB Users logged in: 1 Memory usage: 8% IP address for eth0: 192.168.1.133 Swap usage: 0% Graph this data and manage this system at https://landscape.canonical.com/ Last login: Mon Nov 5 15:42:37 2012 from BT:~$
The firewall rule would look like this once the valid sequence is knocked.
cyruslab@TEST-SERVER:~$ sudo iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT tcp -- bt.local anywhere tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination cyruslab@TEST-SERVER:~$
As can be seen, port ssh is opened for bt.local in the firewall rule.
To close the SSH service from the firewall:
root@bt:~# knock 192.168.1.133 9000 8000 7000 -v hitting tcp 192.168.1.133:9000 hitting tcp 192.168.1.133:8000 hitting tcp 192.168.1.133:7000 root@bt:~#
Executing the above knock sequence will remove rule that allowed bt.local to connect to ssh service.
The vulnerability is that the knocking sequence is in cleartext which has no protection against eavesdropping with man-in-the-middle attack.
Reference: Port knocking