dcsimg

Enhance Security with Port Knocking

The author of All I Really Need to Know I Learned in Kindergarten left out (at least) one important lesson: Secret knocks are really, really useful. As kids, we'd use secret knocks to keep undesirables (the kids we didn't like) out of our clubs or rooms. As system administrators, we can use secret knocks to protect our systems from crackers.

In the field of IT systems security, concept of” port knocking” is relatively new. However with the passage of time, it is getting popular day by day among system and security administrators.

Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of pre-specified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specified port (s).

The primary purpose of port knocking is to prevent an attacker from scanning a system for potentially exploitable services by doing a port scan. Until the correct knock sequence is used, the protected ports will appear closed– so attackers won’t be able to conduct an attack on those ports.

More specifically, Port knocking works on the concept that users wishing to attach to a network service must initiate a predetermined sequence of port connections or send a unique string of bytes before the remote client can connect to the eventual service.

For example, suppose that a remote client wants to connect to an FTP server. The administrator configures the port-knocking requirements ahead of time, requiring that connecting remote clients first connect to ports 2000, 4000, and 7107 before connecting to the final destination port, 21 on FTP server.

The administrator tells all legitimate clients about the correct” combination” of knocks to port knocking daemon running on FTP server and hence when they want to connect to FTP service, they simply send these knocks to the server and then start using FTP service.

The question arises, what is the basic advantage of the additional step of sending knocks and then connecting to FTP service? The answer is simple: The FTP service is not always running on the server, it will be started only when the correct port knocks are sent to server, and it will shut down once it receives another predefined sequence of port knocks.

The potential backdoor to business-critical services is only to be opened for a short time, when it’s required. Once the service is no longer needed, it is closed again, mitigating the vulnerability to attack.

One of the primary advantages to using port knocking is that it is platform, service, and application agnostic. Any operating system with the correct client and server software can take advantage of port knocking. If you need help finding a tool, you can find a list of port knocking implementations here. The site lists clients and daemons for pretty much any platform you’d care to use.

I selected knockd, which is considered to be one of the most famous and robust implementation of port knocking mechanism for Linux and UNIX. In this article, I will cover setting up port knocking on a Red Hat Enterprise Linux (RHEL) server, using knockd, a popular open source port knocking tool. Most importantly, I will try to extend the idea of port knocking beyond simple firewall modifications to more complex system administration tasks.

Note that knockd is available for other systems as well, so if you’re using Debian, Ubuntu, Mac OS X, or even Windows, you should be able to follow along with most of the advice herein to secure your system with knockd.

Flaws with Port Knocking

Before we begin, I should note that port knocking has some detractors. Some IT security professionals say that a predefined and fixed sequence of knocks is, in and of itself, a security flaw. To overcome this, some port knocker daemons have been modified to generate a random sequence of knocks, which can be used by clients to issue requests.

It’s also important to remember that port knocking is just one component of a successful security strategy. You’ll need to deploy other security mechanisms so that if an attacker is successful in providing the correct sequence, they are still faced with authentication and other barricades before connecting to a service.

Port Knocking: A Basic Overview

To start, let’s take a look at the basic functionality of a port knock server. knockd is a daemon that runs on a server, passively listening to network traffic. You configure knockd with a sequence of ports, the length of time between connection attempts, the type of packet that will be sent, and the command to be run when the correct sequence is given.

Once knockd” sees” a port sequence it has been configured to recognize, it will run the command it’s been configured to run. Note that you can use TCP, UDP, or a combination of both. Usually the action will be an iptables command, but not always.

So, to implement port knocking, we start with the installation of knockd and run it in the background. (Or foreground, if you wish, but we will usually want to run it in the background.)

Securing A MySQL Database Remote Connections with Port Knocks

Now that we know what port knocking is, let’s put it to use. In this scenario, I have a business-critical MySQL-based application running on RHEL. On occasion, I need to allow remote connections from a DBA who is performing basic database maintenance activities.

However, for security reasons, we don’t want to allow remote database connections at all times or from every IP address. Because we wanted tighter control over remote connections, we decided to explore port knocking so that remote connections would be open for a limited time only and from a specific IP address.

Let’s start with the firewall rule, just in case you’re not already a firewall wizard. To append a rule to one of the” chains,” you’ll use the -A option. The -I parameter tells iptables to insert the rule into a specific position in the chain. This is important because you may want specific rules to be processed first. Make sure you give it a rule number.

Now, to secure MySQL connections to my database server (172.16.2.183), I blocked network traffic on server’s MySQL port (default 3306) coming from all addresses. For this purpose, I executed following command:

iptables -A INPUT -p tcp -s 0/0 -d 172.16.2.183 --dport 3306 -j REJECT

You don’t want to be reissuing the command every time you restart the machine, so you’ll want to save the rule permanently, using iptables-save.

Getting and configuring knockd

The next step is to install the knockd server on the system you want to use it on. You can get the RPM from the RHEL network.

After installing knockd it’s time to customize your configuration. The knockd config file is found at /etc/knockd.conf

[options]
  logfile=/var/log/knockd.log
[DB2clientopen]
        sequence    = 7050,8050,9050
        seq_timeout = 10
        tcpflags    = syn
        command     = /sbin/iptables -I INPUT 1 -p tcp -s 192.168.2.201 \
       --sport 1024:65535 -d 172.16.2.183 --dport 3306 -m state \
 --state NEW,ESTABLISHED -j ACCEPT
[DB2clientclose]
        sequence    = 9050,8050,7000
        seq_timeout = 10
        tcpflags    = syn
        command     = /sbin/iptables -D INPUT 1

Let’s take a look at the format. The syntax is very simple, you give knockd option / value pairs, separated by =, and port numbers are separated by commas in the order you want the” knocks” to be received. Don’t forget to specify a logfile, you may need to review it later!

It should be obvious from the knockd.conf example that it has two types of actions that can be executed by the daemon, depending on the sequence it receives.

First, if it receives syn packets to port 7050, 8050, and 9050, knockd will insert the first iptables rule as rule number 1 in the INPUT chain. This will open the MySQL database port, so a remote connection can be made from 192.168.2.201– and only that IP address. It’s a good idea to specify the IP address whenever possible, so that if an attacker tries to connect while the port is open, they will still be denied.

On the other hand, if the server receives a knock sequence of 9050, 8050, and 7000, it will delete the rule so that all remote database connections will be closed down again.

I made sure that MySQL would know what address my DBA would be coming from, so I added my PC’s IP address to the server’s /etc/hosts file and created a test database called test1, and created a user called test1 as well with the appropriate grant privileges.

First, fire up the MySQL client with mysql-u root-p test1 and enter the following commands:

mysql> create user test;
mysql> grant all privileges on *.* to 'test@dbawin' \
identified by 'polanipass' with grant option;

Next, restart knockd as a daemon.

/usr/sbin/knockd -d

It should be noted that, by default, knockd will start listening on eth0. If you need it to run on a different interface, you can configure it to do so using the -i option. For instance, to start knockd as a daemon on wlan0 you’d use /usr/sbin/knockd-i wlan0. If you’re always going to run knockd on a different interface, you can add this to your knockd.conf:

[options]
 interface = wlan0

Knock, Knock, It’s Me!

Now, knockd isn’t very useful without a client, so let’s get a client to talk to knockd. I chose a Windows-based Cygwin client, but you can find a client for just about any client OS at the implementations page mentioned earlier.

To use the Windows client, you open a DOS prompt and run something similar to this command:

C:\KNOCK\KNOCK\WINDOWS>knock.exe 172.16.2.183 9050 8050 7000

Of course, the IP address and ports will vary. Once the” knock” is issued, the knock daemon will execute the iptables command listed under the [DB2clientopen] section of knockd.conf and add the rule in INPUT chain to allow DB2 PC to connect to database running on server.

Now you can connect to your MySQL database with your favorite client and do whatever you need to do. Once you’re finished, it’s time to close the door.

If you send the close knock sequence, in this case a syn packet sent to ports 9050, 8050, and then 7000, the MySQL port will be closed and all connections will be terminated. If you try to reconnect to the server, your MySQL client will time out and you’ll eventually see an access error. This will be the case until you send the proper sequence to re-open the port.

So, now you see how you can use port knocking to increase security for remote MySQL connections. Of course, this is really database (and application) independent, so you can use port knocking to secure any database or application you want to connect to remotely.

If it’s too much hassle to open and close the connection each time you need to connect to the database, it might make more sense to set it up so that the port is open during specific hours. For example, if your database guru works 10 a.m. to 7 p.m., you could set up a script to open the port a bit before 10 a.m., and close the port a bit after 7 p.m.

This is not quite as secure, but it does mean that the port won’t be open 24/7, so it may block some automated and casual (i.e., not targeted) attacks. Also, if the port knocking is coupled with only allowing connections from specific IP addresses or IP address ranges, then you have an additional layer of security.

Performing Other System Administration Tasks with Knocks

But wait, that’s not all! Port knocking can be used to do more than set iptables rules. After configuring knockd to play doorkeeper, I decided to explore the feature and see if I could use it to make my life easier in other ways.

I decided I wanted to be able to restart my system remotely, just by” knocking” in the right sequence. I also configured knockd to kick off my backups to tape, so I don’t even need to log in to start the backup– just send a quick series of packets, and my data is safe another day.

Here’s my /etc/knockd.conf:

[options]
  logfile=/var/log/knockd.log
[systemreboot]
        sequence    = 7050,8050,9050
        seq_timeout = 10
        tcpflags    = syn
        command     = /usr/bin/reboot
[systembackup]
        sequence    = 9050,8050,7000
        seq_timeout = 10
        tcpflags    = syn
        command     =  /usr/bin/tar -cf  /dev/rmt0 /home/root/

You can take this a lot farther, and set it up so that other admins (say, the junior admin who’s reliable but still a bit green) can perform complex actions just by using a knock client, or even just by running a shell script that sends the packets.

Summary

Port knocking is a very useful tool for systems security. It is because of its usefulness and robustness that the number of implementations, and users, are growing rapidly. If you can open a door into a closed black box for to perform some system administration tasks, even without requiring a login to the system, it can be very ideal for many environments.

Finally, it is always a good idea to further secure your systems by changing the knock sequences frequently, or by using random seed generators to create random port knocks.

Comments on "Enhance Security with Port Knocking"

diepes

something similar can be achieved with openvpn.
it can be setup to include a hashkey in the connection udp packets, if the first packet does not contain the hash it is silently discarded.

Thus the openvpn port is totally invisible from the outside, with the added benefit that when you connect all traffic is encrypted, and you are authenticated with a certificate.

http://openvpn.net/index.php/documentation/security-overview.html

“the –tls-auth directive to generate an HMAC key to authenticate the packets that are themselves part of the TLS handshake sequence.”

Reply
registrationsucks

If I understand your configuration correctly, anyone knocking with the signoff sequence will delete the first rule on the input chain. This is great if it happens to be the rule that opened up MYSQL, but it is an easy denial of service attack if you happen to be running any other publicly accessible services on the box – a webserver for example. Multiple signoff knocks will shut the whole thing down. A better approach is to specifically delete the rule you added earlier (if it is there). At the very least it should only shutdown rules matching the port you opened.

Reply
javi

In my opinion registrationsucks is right. You will also get into problems if there are more processes that can insert rules in front of your iptables chain, like f.e. fail2ban. Just leave the number out. New rules with flag -I will be inserted in front and only matching rules will be deleted, independent of their order in the chain.

Reply
davidbraun

Javi’s makes valid point. Maybe you could set up separate tables for each service under knockd control. This would not prevent someone from removing the whole table with multiple knockd closes but would limit the problem to just that service instead of the main INPUT chain. Better yet would be to configure the commands issued by knockd to be smarter and create unique table names for each successful knocker.

Reply
jalfrock

Alternately, you can use an iptables-only approach to port-knocking (ie. same thing but without knockd). It’s probably not as configurable, but for a simple setup it’s good enough. For an example, see http://www.debian-administration.org/articles/268

Reply
salinuxam

It’s like our aim is to avoid a port scan primarily. If some body does so null route them using iptables.Portsentry does this pretty accurately :)

Reply
h.hall

Security by obscurity is not a good idea. Do you think that the people that crack passwords cannot crack a knock sequence? And once it’s cracked, how many bulletin boards will have that info posted?

Reply

Only thing is that you have to pay in order to sign up
for the plan. Building material of the data recovery plan consists of several phases.
Data recovery specialists can introduce you to the best practices involved in an
efficient data recovery plan will improve the ability of your employees to respond during chaos.

Reply

Heya! I just wanted to ask if you ever have any trouble with hackers? My last blog (wordpress) was hacked and I ended up losing a few months of hard work due to no back up. Do you have any methods to stop hackers?

Reply

I was suggested this website by way of my cousin. I’m now not positive whether or not this publish is written via him as no one else understand such particular approximately my trouble. You’re incredible! Thanks!

Reply

I think other website proprietors should take this website as an model, very clean and excellent user friendly style and design, as well as the content. You’re an expert in this topic!

Reply

Very good post.Much thanks again. Fantastic.

Reply

OtEwfr There as certainly a lot to learn about this subject. I love all of the points you ave made.

Reply

Thank you for all of the hard work on this web page. Kim really loves setting aside time for research and it’s obvious why. Almost all learn all about the compelling way you convey very useful secrets by means of this website and cause contribution from other people about this area plus our own child is becoming educated a lot. Take advantage of the remaining portion of the year. You have been carrying out a remarkable job.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>