Remote Access Security with Single-Packet Port Knocking WHO’S THERE? If You Are Looking for an Extra Layer of Remote Access Security, Try Single-Packet

Cover sTory Single-Packet Port Knocking

Remote access security with single-packet port knocking WHO’S THERE? If you are looking for an extra layer of remote access security, try single-packet

port knocking. BY JULIET KEMP

ublic key cryptography port-knocking configuration, all means that the traffic ports on the server are closed by Pis secured and that if default. To the outsider, the net- you verify keys correctly, it work seems inaccessible. A re- isn’t vulnerable to man-in-the- mote user who wants access at- middle attacks. Exploits are tempts to initiate a series of con- occasionally found, but they nections to a specific sequence are quickly fixed. However, of (closed) ports. These connec- your system could still be vul- tions are not successful, but they nerable to brute-force attacks. If are logged by the server. After the you have only a small number of appropriate sequence of connec- user accounts, if your usernames tion attempts (“knocks”), a dae- are unusual, and if your passwords mon running on the server edits the are carefully crafted, this might not firewall rules to allow a connection be an issue. But if you have multiple from the IP address that has originated users on a system, it becomes harder to the “knock” sequence. The user can ensure that all passwords really are se- then log in normally. cure. One solution is to run a password- The SSH port is thus opened only in guessing system such as John the Ripper certain circumstances (when a user [1], which can discover a poor pass- has demonstrated that they’re legiti- word before anyone with nefarious mate), rather than being open all the intentions has time to exploit it. time. A password is usually required Also, you can create firewall for login once the port is opened, pro- rules that establish a maximum viding an additional layer of security. number of connection at- Port knocking has a few benefits: tempts from the same IP • It’s hidden – an outsider cannot address, either indefi- detect whether a firewall is listen- nitely or for the next ing for port knocking (which is few minutes. (The lat- the most important feature). Even ter option is prefera- if a cracker has access to an SSH ble to avoid prob- exploit, they can’t get at the SSH lems for real users, server to try it out. who do occasion- • It’s very flexible – you ally mistype their can set up whatever rules password several you want. times.) • It’s foolproof – if you Another al- cannot rely on your users ternative is to create secure passwords,

Olga Lyubkina, Fotolia port knock- you are vulnerable to brute- ing. In a force attacks, as well as to tradi- any holes in your SSH imple- tional mentation.

24 ISSUE 91 JUNE 2008 Single-Packet Port Knocking Cover sTory

However, traditional port knocking also has some disadvantages. First, a client program needs to do the knocking. Depending on your users’ tolerance for such things – and your own ability to manage the remote client configuration – this could be problematic. Also, it might not be possible to run such a program from some locations (e.g., from a library or network cafe). If the server side of the process goes wrong, no one (including you!) will be able to connect to the machine. Port knocking also increases network traffic, although if the port-knocking configuration reduces the overall traffic because of scanning and brute-force attempts, this reduction could more than balance out the increased traffic for the knocking process. Another problem is that traditional port knocking isn’t ex- actly unbeatable: It might be possible for Figure 1: Setting up iptables. an attacker to monitor traffic and detect the knocking sequence. recommend that you use SPA solution in access.conf. The sample access.conf instead. file allows SSH access for 30 seconds single-Packet after the specified key is sent success- Authorization Installation fully, which is a reasonable default. A more recent version of the same basic To start, you’ll need to install the libp‑ The only line you actually need to edit idea – running a server that appears cap‑dev package (on Debian), or which- is the one that begins with KEY – alter closed until the proper “secret knock” is ever package your distro uses to provide the key to a password of your choice. detected – is Single-Packet Authorization the PCAP development libraries. Then, Before starting fwknop, you need to (SPA). In contrast to traditional port download the most up-to-date fwknop set up your iptables config so that exist- knocking, which requires a sequence of tarball [3]. To unzip and install the soft- ing connections and loopback are al- several knocks, SPA requires, as its name ware, enter: lowed but all other connections are suggests, only a single encrypted packet dropped. Be very careful when setting to communicate all the information nec- $ tar zxf fwknop‑1.9.1.tar.gz up iptables rules. It is entirely possible essary. $ cd fwknop‑1.9.1 to lock yourself out of your server if you An SSH session can occur only after a $ ./install.pl get things wrong. valid encrypted packet is detected, and If you already have iptables running, as with port knocking, if you are looking During the install process, select server type iptables ‑F to flush all the rules; at the firewall/ server from outside. you for the local execution mode, then pcap then. set rules for the INPUT chain as can’t tell that sshd (or any other service) for the data acquisition method. Choose follows, is listening. your network interface when asked The major advantage of SPA is that its (probably eth0), and set the access alert iptables ‑A INPUT ‑d 1.2.3.4 U packets are not replayable, whereas with email address you want to use (this is ‑m state ‑‑state RELATED,U traditional port knocking, it is possible – the address that will receive an alert ESTABLISHED ‑j ACCEPT at least in theory – for an attacker who when the server is accessed or when ac- iptables ‑A INPUT ‑i lo ‑j U discovers the sequence to replay it. In cess is turned off again). You probably ACCEPT addition, SPA is faster and harder to want to choose yes for fwknop to run at iptables ‑P INPUT DROP detect because it requires only a single boot time. packet. To ensure that fwknop will run cor- and replace 1.2.3.4 with the IP address rectly on your system, run the test suite of your server. Fwknop after install: test/fwknop_test.pl from the This configuration accepts packets The best tool for implementing SPA is fwknop install directory. from established connections (first line) fwknop, available at the CipherDyne Now you need to complete the config- and from loopback connections (second website [2], which is operated by the uration by editing the file /etc/fwknop/ line), but it drops all other packets (third security researcher Michael Rash. Even access.conf, but you shouldn’t need to line). The OUTPUT and FORWARD though fwknop can also perform tradi- edit the config settings in /etc/fwknop/ chains are not affected – this code just tional port knocking, its authors strongly fwknop.conf: All the access rules are set changes the rules about which inbound

JUNE 2008 ISSUE 91 25 Cover story Single-Packet Port Knocking

packets are accepted. Now start fwknop with the passphrase, you can change this the changes in iptables as a connection with /etc/init.d/fwknop start. in access.conf on the server. If the test occurs. does not succeed, it is possible that the Testing Fwknop setup packet was sent over a high-value Using a GPG key To test your setup, you need a client as UDP port. A plaintext key might not be the ideal well as a server. Again, you will need to If your client and server are on differ- form of authentication. Fwknop also install libpcap‑dev on the client machine ent networks with an external firewall supports GPG authorization, but you and then install fwknop as above; how- between them that blocks these ports, probably don’t want to use your regular ever, answer client during the installa- your “knock” packet will not get GPG key on the server end, since the tion process. through. If this is the case, you can edit password for decrypting it must be For an initial test, confirm that you the PCAP_FILTER value in /etc/fwknop/ stored in /etc/fwknop/access.conf. How- cannot log in to your server via SSH: fwknop.conf on the server to set a port ever, you can use an existing GPG key value that is allowed through, and then on the client end if you have one. $ ssh [email protected] use the ‑‑Server‑port switch In this example, I will assume you with the client fwknop command: don’t have one, and I'll go through the Although you should get no response, if steps to set up a new key at both ends. you do, check your iptables setup on the $ fwknop ‑A tcp/22 U To create the server key, use: server with iptables ‑L to list the rules. ‑‑Server‑port 330 ‑a U Next, try sending the “knock” packet: client.example.com ‑k U $ gpg ‑‑gen‑key server.example.com $ gpg ‑‑list‑keys $ fwknop ‑A tcp/22 ‑a U client.example.com ‑D U To get more information on what is hap- The default options for the first com- server.example.com pening, you can run the daemon on the mand (DSA and Elgamal key, 2,048-bit server in debug or verbose mode: fw‑ key size, and no key expiry) are fine. ‑A specifies which port on the server you knopd ‑d ‑v . With this, you should see Because the key needs to fit in a single want to access – and with which proto- connection attempts being logged and packet, you shouldn’t use a key larger col. The ‑a specifies the machine (or IP the firewall being opened. than 2,048 bits. address) that fwknop should allow to Note that the FWKNOP_INPUT chain Give an appropriate name and email connect. in iptables will not be set up until the address for the server (e.g., server.exam‑ This option is useful in preventing a first connection attempt occurs – so it is ple.com fwknop and fwknop@example. man-in-the-middle attack by ensuring not a problem when you do not see that com) and make a note of your pass- that the source address is duplicated chain initially. By opening a new termi- phrase. The key generation will take a within the encrypted packet, so that if nal window and issuing the command few seconds. GPG will suggest that you an attacker fakes the packet headers, watch ‑n1 iptables ‑L ‑n, you can watch do things on the keyboard to generate they will not be successful (because the faked header would not match the encrypted packet). ‑D specifies the server to connect to. After you are chal- lenged for and have provided the passphrase that you set in access.conf on the server, you will see that a packet is sent to the server. After the packet is sent, you have 30 seconds to connect to the server with the use of a standard SSH connection (ssh user‑ [email protected]‑ ple.com). The 30-second time limit is the default. As Figure 2: fwknop in action with simple password.

26 ISSUE 91 JUNE 2008 1&1 Web Hosting: Powerful hosting for demanding sites

Choosing a reliable web host is important. With over 5 Million websites, 1&1 is one of .UK the world‘s largest web hosts. 1&1 employs Domains over 500 in-house developers. These highly trained programmers deliver the absolute for best in what’s on the forefront of technology, making 1&1 consistently first to market with FREE! the latest advances in communication.

1&1 HOME 1&1 BUSINESS PRO PACKAGE PACKAGE 1 .UK Domain FREE 5 .UK Domains FREE for the life of your package for the life of your package

� 1.51 5 GB WWebb SSpace � New: N latestl � 400 2 GB POP3/IMAP E-mail-acc. Software-Packagee � 20 GB Monthly Traffic worth £400 � Free WebsiteBuilder � 8 GB Web Space � 1&1 Blog � 100 GB Monthly Traffic � Photo Gallery � 1500 IMAP/POP3 E-mail acc. � SMS Manager � Search Engine Optimisation � 1&1 WebMail � SSH Access, PHP & Perl � 1&1 Banner Advertising � Shared SSL � Free CGI’s � 8x MySQL (100 MB Database) � PHP 4 & 5 � 1&1 Easy Shop � 99.99% Up-Time Guarantee � Cron Jobs/Scheduled Tasks � 24/7 Support � Free E-mail Support � ... and much more! � 24/7 Express Support � … andand mumuchch more!more! £ .99 £ .99 perpeper mommonthonth perpeper mmonthmonthh 4 (£5.86(£(£55.868666c Inc. VATVAT)*ATAT)*T)*) 14 (£17.61(£(£117.661 Inc. VAVAT)*T)*)** 1&1 Home Package 1&1 Business Pro 3 m o n t h s Package * 3 m o n t h s FREE! FREE!*

* Terms and conditions apply, please see website for further details.

Call 0871 641 21 21

or visit us now www.1and1.co.uk

UK521_V_4B_210x297.indd 1 11.04.2008 12:27:00 Uhr Cover story Single-Packet Port Knocking

entropy while you’re waiting, so go GPG_HOME_DIR: /root/.gnupg; this practice is not recommended; there- browse the Internet and check your GPG_DECRYPT_ID: AAAAAAAA; fore, I won’t cover it here. email for a while! The output from the GPG_DECRYPT_PW: myGpgPassword; With the ‑‑Server‑cmd switch second command will look a bit like: GPG_REMOTE_ID: CCCCCCCC; for fwknop (client-side), you can send a command to the server to be executed pub 1024D/AAAAAAAA 2008‑03‑07 __GPG_DECRYPT_ID__ is the server GPG as root. You must edit access.conf on the uid server.example.com U key id, and __GPG_DECRYPT_PW__ is server to include the ENABLE_CMD_ fwknop the password for that key. The charac- EXEC keyword, and you can restrict sub 2048g/BBBBBBBB 2008‑03‑07 ters after __GPG_REMOTE_ID__ com- what commands are permitted with pose the client GPG key id. the CMD_REGEX keyword. This feature Now you need to export that key to Restart fwknop and test it. The com- could be useful for running certain ASCII with the command mand line you need from the client is: admin commands from a distance or, perhaps, for backup purposes. $ gpg ‑a ‑‑export AAAAAAAA > U fwknop ‑A tcp/22 ‑‑gpg‑recip U server.asc AAAAAAAA ‑‑gpg‑sign U Multiple Users CCCCCCCC ‑w ‑D U If you intend to implement SPA (or an- and go through the same process on the server.example.com other form of port knocking) across sev- client to create and export the key: eral machines with multiple users, you The server key id is ‑‑gpg‑recip, and the will probably come across resistance to $ gpg ‑‑gen‑key client key id is ‑‑gpg‑sign. After a chal- the idea from your users, particularly $ gpg ‑‑list‑keys lenge for your GPG passphrase, you’ll if they are accustomed to being able to pub 1024D/CCCCCCCC 2008‑03‑07 see a message that a message has been transparently use programs such as uid test fwknop U sent to the server. Then, if you type ssh PuTTY. Being able to explain the bene- [email protected], you fits will be helpful, as will being able to sub 2048g/DDDDDDDD 2008‑03‑07 should be able to log on again. provide an easy way to use appropriate $ gpg ‑a ‑‑export CCCCCCCC > U As this stands, only one key, and thus scripts in practice. Using a plaintext client.asc one individual, can access the server. password rather than GPG keys might be The addition of more easier in this case, although obviously Now you need to transfer the client.asc the more people know such a password, and server.asc files, each to the other GPG_REMOTE_ID: xxxxxxxx; the less secure it is. machine (using any secure transfer Alternatively, it might make more method you fancy). lines in access.conf permits as many keys sense to implement port knocking only Remember that if you’ve already set as you want to access the server. on certain machines. For example, you up fwknop as above on the server, you’ll However, each key that is permitted to could create a setup in which certain need to knock appropriately for an SCP access the server must be imported and user machines allow external (outside or SFTP transfer to succeed! (Or, you signed on the server. (In addition, the your LAN) access, but your servers both could turn fwknop off and change the server key must be imported and signed do not allow external access and require iptables setup back to normal for this by the client/user wanting to access the SPA for internal access. This means that transfer.) server.) This might be a bit much in a a nefarious individual who breaks into Next, import and sign each key. On regular multi-user setup, although it one of your user machines cannot access the client, use would probably be acceptable with only your servers without also breaking the a small number of admins needing to SPA protection. $ gpg ‑‑import server.asc connect to the server (or, of course, if Port knocking as a principle, and in $ gpg ‑‑edit‑key fwknop it’s a single-user machine!). particular SPA, is a very neat way of fur- Command> sign Also, you can add the requirement to ther restricting access to vulnerable ma- Command> save use a particular username when con- chines and increasing security. It might necting, with the directive not be suitable for all setups, but it is and replace fwknop in the second line a useful technique to have available for with whatever user ID you have given REQUIRE_USERNAME: username situations in which you need or want your key or with the hexadecimal key ID to be particularly security conscious. n – AAAAAAAA in this example. in the /etc/fwknop/access.conf file. Simi- Then, repeat this on the server with larly, you can require a particular operat- INFO the client key. Now edit your /etc/fw‑ ing system or source address; or, you can [1] John the Ripper: knop/access.conf on the server: change the time that fwknopd will keep http://www. openwall. com/ john/ the port open. Check the man page for [2] CipherDyne: SOURCE: ANY; details of all of these. http://www. cipherdyne. org/ fwknop/ OPEN_PORTS: tcp/22; Although it is possible to use fwknop [3] Fwknop download: http://www. DATA_COLLECT_MODE: PCAP; in port-knocking mode (which is called cipherdyne.org/ fwknop/ download/ FW_ACCESS_TIMEOUT: 30; legacy port-knocking mode in the docs),

28 ISSUE 91 JUNE 2008