Cover sTory Single-Packet Port Knocking Remote access security with single-packet port knocking WHO’S THERE? If you are looking for an extra layer of remote access security, try single-packet port knocking. BY JULIET KEMP ublic key cryptography port-knocking configuration, all means that the traffic ports on the server are closed by Pis secured and that if default. To the outsider, the net- you verify keys correctly, it work seems inaccessible. A re- isn’t vulnerable to man-in-the- mote user who wants access at- middle attacks. Exploits are tempts to initiate a series of con- occasionally found, but they nections to a specific sequence are quickly fixed. However, of (closed) ports. These connec- your system could still be vul- tions are not successful, but they nerable to brute-force attacks. If are logged by the server. After the you have only a small number of appropriate sequence of connec- user accounts, if your usernames tion attempts (“knocks”), a dae- are unusual, and if your passwords mon running on the server edits the are carefully crafted, this might not firewall rules to allow a connection be an issue. But if you have multiple from the IP address that has originated users on a system, it becomes harder to the “knock” sequence. The user can ensure that all passwords really are se- then log in normally. cure. One solution is to run a password- The SSH port is thus opened only in guessing system such as John the Ripper certain circumstances (when a user [1], which can discover a poor pass- has demonstrated that they’re legiti- word before anyone with nefarious mate), rather than being open all the intentions has time to exploit it. time. A password is usually required Also, you can create firewall for login once the port is opened, pro- rules that establish a maximum viding an additional layer of security. number of connection at- Port knocking has a few benefits: tempts from the same IP • It’s hidden – an outsider cannot address, either indefi- detect whether a firewall is listen- nitely or for the next ing for port knocking (which is few minutes. (The lat- the most important feature). Even ter option is prefera- if a cracker has access to an SSH ble to avoid prob- exploit, they can’t get at the SSH lems for real users, server to try it out. who do occasion- • It’s very flexible – you ally mistype their can set up whatever rules password several you want. times.) • It’s foolproof – if you Another al- cannot rely on your users ternative is to create secure passwords, Olga Lyubkina, Fotolia Lyubkina, Olga port knock- you are vulnerable to brute- ing. In a force attacks, as well as to tradi- any holes in your SSH imple- tional mentation. 24 ISSUE 91 JUNE 2008 Single-Packet Port Knocking Cover sTory However, traditional port knocking also has some disadvantages. First, a cli- ent program needs to do the knocking. Depending on your users’ tolerance for such things – and your own ability to manage the remote client configuration – this could be problematic. Also, it might not be possible to run such a pro- gram from some locations (e.g., from a library or network cafe). If the server side of the process goes wrong, no one (including you!) will be able to connect to the machine. Port knocking also increases network traffic, although if the port-knocking configuration reduces the overall traffic because of scanning and brute-force at- tempts, this reduction could more than balance out the increased traffic for the knocking process. Another problem is that traditional port knocking isn’t ex- actly unbeatable: It might be possible for Figure 1: Setting up iptables. an attacker to monitor traffic and detect the knocking sequence. recommend that you use SPA solution in access.conf. The sample access.conf instead. file allows SSH access for 30 seconds single-Packet after the specified key is sent success- Authorization Installation fully, which is a reasonable default. A more recent version of the same basic To start, you’ll need to install the libp- The only line you actually need to edit idea – running a server that appears cap-dev package (on Debian), or which- is the one that begins with KEY – alter closed until the proper “secret knock” is ever package your distro uses to provide the key to a password of your choice. detected – is Single-Packet Authorization the PCAP development libraries. Then, Before starting fwknop, you need to (SPA). In contrast to traditional port download the most up-to-date fwknop set up your iptables config so that exist- knocking, which requires a sequence of tarball [3]. To unzip and install the soft- ing connections and loopback are al- several knocks, SPA requires, as its name ware, enter: lowed but all other connections are suggests, only a single encrypted packet dropped. Be very careful when setting to communicate all the information nec- $ tar zxf fwknop-1.9.1.tar.gz up iptables rules. It is entirely possible essary. $ cd fwknop-1.9.1 to lock yourself out of your server if you An SSH session can occur only after a $ ./install.pl get things wrong. valid encrypted packet is detected, and If you already have iptables running, as with port knocking, if you are looking During the install process, select server type iptables -F to flush all the rules; at the firewall/ server from outside. you for the local execution mode, then pcap then. set rules for the INPUT chain as can’t tell that sshd (or any other service) for the data acquisition method. Choose follows, is listening. your network interface when asked The major advantage of SPA is that its (probably eth0), and set the access alert iptables -A INPUT -d 1.2.3.4 U packets are not replayable, whereas with email address you want to use (this is -m state --state RELATED,U traditional port knocking, it is possible – the address that will receive an alert ESTABLISHED -j ACCEPT at least in theory – for an attacker who when the server is accessed or when ac- iptables -A INPUT -i lo -j U discovers the sequence to replay it. In cess is turned off again). You probably ACCEPT addition, SPA is faster and harder to want to choose yes for fwknop to run at iptables -P INPUT DROP detect because it requires only a single boot time. packet. To ensure that fwknop will run cor- and replace 1.2.3.4 with the IP address rectly on your system, run the test suite of your server. Fwknop after install: test/fwknop_test.pl from the This configuration accepts packets The best tool for implementing SPA is fwknop install directory. from established connections (first line) fwknop, available at the CipherDyne Now you need to complete the config- and from loopback connections (second website [2], which is operated by the uration by editing the file /etc/fwknop/ line), but it drops all other packets (third security researcher Michael Rash. Even access.conf, but you shouldn’t need to line). The OUTPUT and FORWARD though fwknop can also perform tradi- edit the config settings in /etc/fwknop/ chains are not affected – this code just tional port knocking, its authors strongly fwknop.conf: All the access rules are set changes the rules about which inbound JUNE 2008 ISSUE 91 25 Cover sTory Single-Packet Port Knocking packets are accepted. Now start fwknop with the passphrase, you can change this the changes in iptables as a connection with /etc/init.d/fwknop start. in access.conf on the server. If the test occurs. does not succeed, it is possible that the Testing Fwknop setup packet was sent over a high-value Using a GPG key To test your setup, you need a client as UDP port. A plaintext key might not be the ideal well as a server. Again, you will need to If your client and server are on differ- form of authentication. Fwknop also install libpcap-dev on the client machine ent networks with an external firewall supports GPG authorization, but you and then install fwknop as above; how- between them that blocks these ports, probably don’t want to use your regular ever, answer client during the installa- your “knock” packet will not get GPG key on the server end, since the tion process. through. If this is the case, you can edit password for decrypting it must be For an initial test, confirm that you the PCAP_FILTER value in /etc/fwknop/ stored in /etc/fwknop/access.conf. How- cannot log in to your server via SSH: fwknop.conf on the server to set a port ever, you can use an existing GPG key value that is allowed through, and then on the client end if you have one. $ ssh [email protected] use the --Server-port <port> switch In this example, I will assume you with the client fwknop command: don’t have one, and I'll go through the Although you should get no response, if steps to set up a new key at both ends. you do, check your iptables setup on the $ fwknop -A tcp/22 U To create the server key, use: server with iptables -L to list the rules. --Server-port 330 -a U Next, try sending the “knock” packet: client.example.com -k U $ gpg --gen-key server.example.com $ gpg --list-keys $ fwknop -A tcp/22 -a U client.example.com -D U To get more information on what is hap- The default options for the first com- server.example.com pening, you can run the daemon on the mand (DSA and Elgamal key, 2,048-bit server in debug or verbose mode: fw- key size, and no key expiry) are fine.