Cover sTory Single-Packet Port Knocking
Remote access security with single-packet port knocking WHO’S THERE? If you are looking for an extra layer of remote access security, try single-packet
port knocking. BY JULIET KEMP
ublic key cryptography port-knocking configuration, all means that the traffic ports on the server are closed by Pis secured and that if default. To the outsider, the net- you verify keys correctly, it work seems inaccessible. A re- isn’t vulnerable to man-in-the- mote user who wants access at- middle attacks. Exploits are tempts to initiate a series of con- occasionally found, but they nections to a specific sequence are quickly fixed. However, of (closed) ports. These connec- your system could still be vul- tions are not successful, but they nerable to brute-force attacks. If are logged by the server. After the you have only a small number of appropriate sequence of connec- user accounts, if your usernames tion attempts (“knocks”), a dae- are unusual, and if your passwords mon running on the server edits the are carefully crafted, this might not firewall rules to allow a connection be an issue. But if you have multiple from the IP address that has originated users on a system, it becomes harder to the “knock” sequence. The user can ensure that all passwords really are se- then log in normally. cure. One solution is to run a password- The SSH port is thus opened only in guessing system such as John the Ripper certain circumstances (when a user [1], which can discover a poor pass- has demonstrated that they’re legiti- word before anyone with nefarious mate), rather than being open all the intentions has time to exploit it. time. A password is usually required Also, you can create firewall for login once the port is opened, pro- rules that establish a maximum viding an additional layer of security. number of connection at- Port knocking has a few benefits: tempts from the same IP • It’s hidden – an outsider cannot address, either indefi- detect whether a firewall is listen- nitely or for the next ing for port knocking (which is few minutes. (The lat- the most important feature). Even ter option is prefera- if a cracker has access to an SSH ble to avoid prob- exploit, they can’t get at the SSH lems for real users, server to try it out. who do occasion- • It’s very flexible – you ally mistype their can set up whatever rules password several you want. times.) • It’s foolproof – if you Another al- cannot rely on your users ternative is to create secure passwords,
Olga Lyubkina, Fotolia port knock- you are vulnerable to brute- ing. In a force attacks, as well as to tradi- any holes in your SSH imple- tional mentation.
24 ISSUE 91 JUNE 2008 Single-Packet Port Knocking Cover sTory
However, traditional port knocking also has some disadvantages. First, a cli- ent program needs to do the knocking. Depending on your users’ tolerance for such things – and your own ability to manage the remote client configuration – this could be problematic. Also, it might not be possible to run such a pro- gram from some locations (e.g., from a library or network cafe). If the server side of the process goes wrong, no one (including you!) will be able to connect to the machine. Port knocking also increases network traffic, although if the port-knocking configuration reduces the overall traffic because of scanning and brute-force at- tempts, this reduction could more than balance out the increased traffic for the knocking process. Another problem is that traditional port knocking isn’t ex- actly unbeatable: It might be possible for Figure 1: Setting up iptables. an attacker to monitor traffic and detect the knocking sequence. recommend that you use SPA solution in access.conf. The sample access.conf instead. file allows SSH access for 30 seconds single-Packet after the specified key is sent success- Authorization Installation fully, which is a reasonable default. A more recent version of the same basic To start, you’ll need to install the libp‑ The only line you actually need to edit idea – running a server that appears cap‑dev package (on Debian), or which- is the one that begins with KEY – alter closed until the proper “secret knock” is ever package your distro uses to provide the key to a password of your choice. detected – is Single-Packet Authorization the PCAP development libraries. Then, Before starting fwknop, you need to (SPA). In contrast to traditional port download the most up-to-date fwknop set up your iptables config so that exist- knocking, which requires a sequence of tarball [3]. To unzip and install the soft- ing connections and loopback are al- several knocks, SPA requires, as its name ware, enter: lowed but all other connections are suggests, only a single encrypted packet dropped. Be very careful when setting to communicate all the information nec- $ tar zxf fwknop‑1.9.1.tar.gz up iptables rules. It is entirely possible essary. $ cd fwknop‑1.9.1 to lock yourself out of your server if you An SSH session can occur only after a $ ./install.pl get things wrong. valid encrypted packet is detected, and If you already have iptables running, as with port knocking, if you are looking During the install process, select server type iptables ‑F to flush all the rules; at the firewall/ server from outside. you for the local execution mode, then pcap then. set rules for the INPUT chain as can’t tell that sshd (or any other service) for the data acquisition method. Choose follows, is listening. your network interface when asked The major advantage of SPA is that its (probably eth0), and set the access alert iptables ‑A INPUT ‑d 1.2.3.4 U packets are not replayable, whereas with email address you want to use (this is ‑m state ‑‑state RELATED,U traditional port knocking, it is possible – the address that will receive an alert ESTABLISHED ‑j ACCEPT at least in theory – for an attacker who when the server is accessed or when ac- iptables ‑A INPUT ‑i lo ‑j U discovers the sequence to replay it. In cess is turned off again). You probably ACCEPT addition, SPA is faster and harder to want to choose yes for fwknop to run at iptables ‑P INPUT DROP detect because it requires only a single boot time. packet. To ensure that fwknop will run cor- and replace 1.2.3.4 with the IP address rectly on your system, run the test suite of your server. Fwknop after install: test/fwknop_test.pl from the This configuration accepts packets The best tool for implementing SPA is fwknop install directory. from established connections (first line) fwknop, available at the CipherDyne Now you need to complete the config- and from loopback connections (second website [2], which is operated by the uration by editing the file /etc/fwknop/ line), but it drops all other packets (third security researcher Michael Rash. Even access.conf, but you shouldn’t need to line). The OUTPUT and FORWARD though fwknop can also perform tradi- edit the config settings in /etc/fwknop/ chains are not affected – this code just tional port knocking, its authors strongly fwknop.conf: All the access rules are set changes the rules about which inbound
JUNE 2008 ISSUE 91 25 Cover story Single-Packet Port Knocking
packets are accepted. Now start fwknop with the passphrase, you can change this the changes in iptables as a connection with /etc/init.d/fwknop start. in access.conf on the server. If the test occurs. does not succeed, it is possible that the Testing Fwknop setup packet was sent over a high-value Using a GPG key To test your setup, you need a client as UDP port. A plaintext key might not be the ideal well as a server. Again, you will need to If your client and server are on differ- form of authentication. Fwknop also install libpcap‑dev on the client machine ent networks with an external firewall supports GPG authorization, but you and then install fwknop as above; how- between them that blocks these ports, probably don’t want to use your regular ever, answer client during the installa- your “knock” packet will not get GPG key on the server end, since the tion process. through. If this is the case, you can edit password for decrypting it must be For an initial test, confirm that you the PCAP_FILTER value in /etc/fwknop/ stored in /etc/fwknop/access.conf. How- cannot log in to your server via SSH: fwknop.conf on the server to set a port ever, you can use an existing GPG key value that is allowed through, and then on the client end if you have one. $ ssh [email protected] use the ‑‑Server‑port
26 ISSUE 91 JUNE 2008 1&1 Web Hosting: Powerful hosting for demanding sites
Choosing a reliable web host is important. With over 5 Million websites, 1&1 is one of .UK the world‘s largest web hosts. 1&1 employs Domains over 500 in-house developers. These highly trained programmers deliver the absolute for best in what’s on the forefront of technology, making 1&1 consistently first to market with FREE! the latest advances in communication.
1&1 HOME 1&1 BUSINESS PRO PACKAGE PACKAGE 1 .UK Domain FREE 5 .UK Domains FREE for the life of your package for the life of your package
� 1.51 5 GB WWebb SSpace � New: N latestl � 400 2 GB POP3/IMAP E-mail-acc. Software-Packagee � 20 GB Monthly Traffic worth £400 � Free WebsiteBuilder � 8 GB Web Space � 1&1 Blog � 100 GB Monthly Traffic � Photo Gallery � 1500 IMAP/POP3 E-mail acc. � SMS Manager � Search Engine Optimisation � 1&1 WebMail � SSH Access, PHP & Perl � 1&1 Banner Advertising � Shared SSL � Free CGI’s � 8x MySQL (100 MB Database) � PHP 4 & 5 � 1&1 Easy Shop � 99.99% Up-Time Guarantee � Cron Jobs/Scheduled Tasks � 24/7 Support � Free E-mail Support � ... and much more! � 24/7 Express Support � … andand mumuchch more!more! £ .99 £ .99 perpeper mommonthonth perpeper mmonthmonthh 4 (£5.86(£(£55.868666c Inc. VATVAT)*ATAT)*T)*) 14 (£17.61(£(£117.661 Inc. VAVAT)*T)*)** 1&1 Home Package 1&1 Business Pro 3 m o n t h s Package * 3 m o n t h s FREE! FREE!*
* Terms and conditions apply, please see website for further details.
Call 0871 641 21 21
or visit us now www.1and1.co.uk
UK521_V_4B_210x297.indd 1 11.04.2008 12:27:00 Uhr Cover story Single-Packet Port Knocking
entropy while you’re waiting, so go GPG_HOME_DIR: /root/.gnupg; this practice is not recommended; there- browse the Internet and check your GPG_DECRYPT_ID: AAAAAAAA; fore, I won’t cover it here. email for a while! The output from the GPG_DECRYPT_PW: myGpgPassword; With the ‑‑Server‑cmd
28 ISSUE 91 JUNE 2008