In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A variant called single packet authorization (SPA) exists, where only a single 'knock' is needed, consisting of an encryptedpacket.[1][2][3][4]
The primary purpose of port knocking is to prevent an attacker from scanning a system for potentially exploitable services by doing a port scan, because unless the attacker sends the correct knock sequence, the protected ports will appear closed.
- Mar 18, 2018 Knock host and port using tcp connection positional arguments: host Hostname or IP address of the host ports Ports to knock optional arguments: -h, -help show this help message and exit -d DELAY, -delay DELAY Milliseconds between each knock.
- 'Knock on Ports' is a port knocking client compatible with knockd, icmpKNOCK and other port knocking servers. Features: UDP/TCP or ICMP sequences; interpacket delays; ability to start another application after a knock; customizable widget; data export/import; customizable UDP packet content; free, no ads, open source; GitHub.
Port-knocking client with multiple hosts support go cli golang client tools firewall port-knocker port-knocking portknocker portknocking Updated Sep 20, 2019. The knock script sets the socket to 'non-blocking'. Non-blocking in python is the same as setting the timeout to 0 - that is, don't wait for a response. The TCP protocol defaults to 'blocking' - i.e wait for a response. From Knock git the relevant line is: s.setblocking (False). Knock is a port-knock client. It sends TCP/UDP packets to each specified port on host, creating a special knock sequence on the listening server (see the knockd manpage for more info on this).
Overview[edit]
Port knocking is usually implemented by configuring a daemon to watch the firewall log file for connection attempts to certain points, and then to modify the firewall configuration accordingly. It can also be performed on the kernel level (using a kernel-level packet filter such as iptables[5]) or by a userspace process examining packets at a higher level (using packet capture interfaces such as pcap), allowing the use of already 'open' TCP ports to be used within the knock sequence.
The port 'knock' itself is similar to a secret handshake and can consist of any number of TCP, UDP or even sometimes ICMP and other protocol packets to numbered ports on the destination machine. The complexity of the knock can be anything from a simple ordered list (e.g. TCP port 1000, TCP port 2000, UDP port 3000) to a complex time-dependent, source-IP-based and other-factor-based encrypted hash.
A portknock daemon on the firewall machine listens for packets on certain ports (either via the firewall log or by packet capture). The client user would carry an extra utility, which could be as simple as netcat or a modified ping program or as complicated as a full hash-generator, and use that before they attempted to connect to the machine in the usual way.
Most portknocks are stateful systems in that if the first part of the 'knock' has been received successfully, an incorrect second part would not allow the remote user to continue and, indeed, would give the remote user no clue as to how far through the sequence they failed. Usually the only indication of failure is that, at the end of the knock sequence, the port expected to be open is not opened. No packets are sent to the remote user at any time.
While this technique for securing access to remote network daemons has not been widely adopted by the security community, it has been actively used in many rootkits even before year 2000.
Benefits[edit]
Defeating port knocking protection requires large-scale brute force attacks in order to discover even simple sequences. An anonymous brute force attack against a three-knock TCP sequence (e.g. port 1000, 2000, 3000) would require an attacker to test every three port combination in the 1–65535 range and then scan each port between attacks to uncover any changes in port access on the target system. Since port knocking is by definition stateful, the requested port would not open until the correct three-port number sequence had been received in the correct order and without receiving any other intervening packets from the source. The average case scenario requires approximately 141 trillion (655353 / 2) packets to determine a correct three-port number. This technique, in combination with knock attempt-limiting, longer or more complex sequences and cryptographic hashes, makes successful port access attempts extremely difficult.
Once the successful port knock sequence is supplied to open a port, firewall rules generally only open the port to the IP address that supplied the correct knock, adding dynamic functionality to firewall behaviour. Instead of using a preconfigured static IP whitelist on the firewall, an authorised user situated anywhere in the world would be able to open any necessary port without assistance from the server administrator. The system could also be configured to allow the authenticated user to manually close the port once the session is over or to have it close automatically using a timeout mechanism. To establish a new session, the remote user would be required to reauthenticate using the correct sequence.
The stateful behaviour of port knocking allows several users from different source IP addresses to be at varying levels of port knock authentication simultaneously, allowing a legitimate user with the correct knock sequence through the firewall while the firewall itself is in the middle of a port attack from multiple IP addresses (assuming the bandwidth of the firewall is not completely consumed). From any other attacking IP address, the ports on the firewall will still appear to be closed.
Using cryptographic hashes inside the port knock sequence defends against packet sniffing between the source and target machines, preventing discovery of the port knock sequence or using the information to create traffic replay attacks to repeat prior port knock sequences.
Port knocking is used as part of a defense in depth strategy. Even if the attacker were to successfully gain port access, other port security mechanisms are still in place, along with the assigned service authentication mechanisms on the opened ports.
Implementation of the technique is straightforward, using at the bare minimum a shell script on the server and a Windows batch file or command line utility on the client. Overhead on both the server and client in terms of traffic, CPU and memory consumption is minimal. Port knock daemons are not complex to code; any type of vulnerability within the code is obvious and auditable.
A port knock system implemented on ports such as the SSH sidesteps the issue of brute force password attacks on logins. In the case of SSH, the SSH daemon is not activated without the correct port knock, and the attack is filtered by the TCP/IP stack rather than using SSH authentication resources. To the attacker, the daemon is inaccessible until the correct port knock is supplied.
Security considerations[edit]
Port knocking is a flexible, customisable system add-in. If the administrator chooses to link a knock sequence to an activity such as running a shell script, other changes such as implementing additional firewall rules to open ports for specific IP addresses can easily be incorporated into the script. Simultaneous sessions are easily accommodated.
By using strategies like dynamic length and pool of length can reduce the probability of hacking knock sequences to near zero.[6]
In addition to mitigating brute force password attacks and the inevitable growth in logs associated with the process daemon, port knocking also protects against protocol vulnerability exploits. If an exploit were discovered that could compromise a daemon in its default configuration, using port knocking on the listening port reduces the possibility of compromise until the software or process is updated. Authorized users would continue to be served once they provide the correct knock sequence while random access attempts would be ignored.
Port knocking should only be viewed as part of an overall network defense strategy providing protection against random and targeted attacks, not as complete standalone solution.
Network security professionals have largely ignored port knocking as a solution in the past since early implementations relied solely on providing the correct port combinations to achieve access. Modern port knock systems incorporate features such as secure cryptographic hashes, blacklists, whitelists and dynamic attack responses to further increase system capability. Port knocking is an effective means of maximizing server resources on internet facing networks.[citation needed]
Properly implemented port knocking does not lower the overall security of a system. It is an effective measure that provides an additional layer of security with minimal server resource overhead. At worst, systems such as port knocking introduce new security issues through poor implementation or expose ambivalent administration attitudes through situations such as risk compensation.[citation needed]
Disadvantages[edit]
Port knocking is totally dependent on the robustness of the port knocking daemon. The failure of the daemon will deny port access to all users and from a usability and security perspective, this is an undesirable single point of failure. Modern port knocking implementations mitigate this issue by providing a process-monitoring daemon that will restart a failed or stalled port knocking daemon process.
Systems that do not use cryptographic hashes are vulnerable to IP address spoofing attacks. These attacks, a form of Denial of service, use port knocking functionality to lock out known IP addresses (e.g. administrator management stations) by sending packets with the spoofed IP address to random ports. Servers using static addressing are especially vulnerable to these types of denials of service as their addresses are well known.
Port knocking can be problematic on networks exhibiting high latency. Port knocking depends on packets arriving in the correct sequence to access its designed functionality. TCP/IP, on the other hand, is designed to function by assembling out of order packets into a coherent message. In these situations, the only solution is for the client to continue resending the correct sequence of packets on a periodic basis until the sequence is acknowledged by the server.
Port knocking cannot be used as the sole authentication mechanism for a server. From a security perspective, simple port knocking relies on security through obscurity; unintended publication of the knock sequence infers compromise of all devices supporting the sequence. Furthermore, unencrypted port knocking is vulnerable to packet sniffing. A network trace of suitable length can detect the correct knock sequence from a single IP address and thus provide a mechanism for unauthorised access to a server and by extension, the attached network. Once compromised, the log files on the device are a source of other valid knock sequences, revealing another point of failure. Solutions such as treating each knock sequence as a one-time password defeat the aim of simplified administration. In practice, port knocking must be combined with other forms of authentication that are not vulnerable to replay or man-in-the-middle attacks for the whole system to be effective.
References[edit]
- ^Michael Rash (2004) Combining Port Knocking and Passive OS Fingerprinting with fwknop
- ^Michael Rash (2006). Single Packet Authorization with Fwknop.
- ^Michael Rash (2007). Protecting SSH Servers with Single Packet Authorization.
- ^Moxie Marlinspike (2009). Using knockknock for Single Packet Authorization.
- ^Justin Ellingwood (2014-01-17). 'How To Configure Port Knocking Using Only Iptables on an Ubuntu VPS'. digitalocean.com. Retrieved 2016-04-24.
- ^Shiraz, Muhammad; Boroumand, Laleh; Gani, Abdullah; Khan, Suleman (2019-10-29). 'An Improved Port Knocking Authentication Framework for Mobile Cloud Computing'. Malaysian Journal of Computer Science. 32 (4): 269–283. doi:10.22452/mjcs.vol32no4.2. ISSN0127-9084.
External links[edit]
- Port knocking to hide a backdoor Port knocking to hide communication channel for malware, example from the wild
- Techniques for Lightweight Concealment and Authentication in IP Networks (2002)
Port Knock Client Login
Generally, it is a good idea to have fewer ports open on your server. When you have ports open, you leak information about what services are running on your server, and any misconfigured or vulnerable programs listening on those ports can become targets.
Port Knock Clients
Normally, a server must have open ports in order to do its job, at least when you don’t know in advance which addresses it needs to serve. Port knocking is a technique that allows you to have zero open ports on a server, while still allowing connections from trusted clients.
Port Knocking
In the simplest case, port knocking does what it sounds like: You disallow all connections to all ports on your server, using your favorite firewall. Then, you configure a simple daemon to watch for a particular sequence of “knocks”: packets sent to closed ports on the server. When it sees the appropriate sequence of knocks from some IP address, it tells your firewall to (temporarily) allow connections from that address, on whatever port your service is listening on (typically port 22, for ssh). This is like if your speakeasy had a “secret knock” that must be performed before the bouncer opens the door. Trusted clients know the secret knock, and so when connecting to your server they use the knock sequence before attempting to connect.
Avoiding Replays
As with real-life secret knocks, though, this technique is susceptible to replay attacks: if someone is able to hear the secret knock, they can repeat it easily. A person snooping on your traffic may be able to see that you sent a suspicious sequence of packets before successfully connecting, and then use the same sequence themselves.
Some knocking daemons, such as knockd, can mitigate this with a feature that lets you use “one time sequences”: A list of sequences that must be used in the appropriate order, and are then discarded. This works well when only one client needs to connect to the server: That client can keep track of the same list of knock sequences, and discard ones that it has used.
If multiple clients need to connect to the server, each client can get its own list.
But a problem with this approach is that one must generate sequence lists long enough to ensure that the client will be able to connect as many times as they wish. In principle this may not be too difficult; if you plan to connect fifty times a day for a hundred years, this amounts to less than 100 MiB of configuration. In practice I’m not entirely sure how knockd would deal with such a large list.
Using TOTP
An alternative would be to use a scheme like the TOTP system you (hopefully) use for two-factor authentication on your phone. In this scheme, the server and clients use the current time to agree on a knock sequence. The server gets a secret that’s shared with the client, and whenever the server sees a knock sequence corresponding to the current OTP value, it opens the port (and discards that value).
There are at least two implementations of this idea: one by Akshay Shah and Swapnil Kumbhar, and another by Javier Junquera Sánchez. Neither of these solutions looks very polished, but they exist as proofs-of-concept.
Port Knock Clienti
I haven’t looked hard at the code for either of these implementations, so I can’t recommend them. There are various pitfalls involved here; the most important is that the TOTP-generated sequence must be discarded after use, to avoid fast replay attacks. And one may want to use different TOTP keys for each client or user (to ensure that multiple clients aren’t racing for the same code if they need to connect at similar times). I suspect that the above implementations don’t deal nicely with at least one of these issues, though again I haven’t looked at them in detail.
Port Knock Client List
Shah and Kumbhar’s solution above uses knockd’s one time sequences feature, but is forced to restart knockd to reload its configuration whenever the keys change. Ideally it would be great if knockd incorporated a TOTP-based configuration option, or had some other method of avoiding replays than long lists of knock sequences.