Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
n0whereN0whereN0WHERE:66151
HistoryOct 27, 2015 - 1:10 a.m.

SSH Port Knocking

2015-10-2701:10:01
n0where.net
11
JSON

In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of pre-specified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port.

The primary purpose of port knocking is to prevent an attacker from scanning a system for potentially exploitable services

The port “knock” itself is similar to a secret handshake and can consist of any number of TCP, UDP or even sometimes ICMP and other protocol packets to numbered ports on the destination machine. The complexity of the knock can be anything from a simple ordered list to a complex time-dependent, source-IP-based and other-factor-based encrypted hash.

Defeating port knocking protection requires large-scale brute force attacks in order to discover even simple sequences. An anonymous brute force attack against a three-knock TCP sequence (e.g. port 1000, 2000, 3000) would require an attacker to test every three port combination in the 1–65535 range and then scan each port between attacks to uncover any changes in port access on the target system. Since port knocking is by definition stateful, the requested port would not open until the correct three-port number sequence had been received in the correct order and without receiving any other intervening packets from the source. This technique, in combination with knock attempt-limiting, longer or more complex sequences and cryptographic hashes, makes successful port access attempts extremely difficult.

The average case scenario requires approximately 141 trillion packets to determine a correct three-port number.

Using cryptographic hashes inside the port knock sequence defends against packet sniffing between the source and target machines, preventing discovery of the port knock sequence or using the information to create traffic replay attacks to repeat prior port knock sequences.Port knocking is used as part of a defense in depth strategy. Even if the attacker were to successfully gain port access, other port security mechanisms are still in place, along with the assigned service authentication mechanisms on the opened ports.

A port knock system implemented on ports such as the SSH sidesteps the issue of brute force password attacks on logins. In the case of SSH, the SSH daemon is not activated without the correct port knock, and the attack is filtered by the TCP/IP stack rather than using SSH authentication resources. To the attacker, the daemon is inaccessible until the correct port knock is supplied.

Overview

  • Interface : eth0
  • Sequence : 1000, 2000, 3000

In order to implement our port knocking we’ll:

  • Create a rule to accept already established traffic and to keep ports open for externally accessible services ( like web server ).
  • Redirect all other incoming traffic into a new SEQUENCE chain.
  • Do packet filtering and labelling through sub-chains.
  • Once the packet passes through our ‘logic’ chains, grant access to SSH port.

We’ll implement 3 ‘Knocks’ ( iptables chains ), demanding 4 different states for the entire process:

  • LEVEL1 : Flag which confirms first knock.
  • LEVEL2 : Flag which confirms second.
  • LEVEL3 : Flag which grants SSH access.

These states will be implemented as sub-chains :

  • KNOCK1 : Determine whether an address should be flagged as “LEVEL1”.
  • KNOCK2 : Determine whether an address should be flagged as “LEVEL2”.
  • KNOCK3 : Determine whether an address should be flagged as “LEVEL3”.
  • GRANTED : Open SSH port for clients who have knocked successfully.

All non-SSH traffic in SEQUENCE chain and its sub-chains should be dropped.

Configure

We will begin by flushing the existing firewall rules so that we can start with a clean slate. Before flushing rules, it is always a good idea to reassert that the default policies in an empty table are “ACCEPT” in order to maintain your current connection:

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F

we want to add the additional chains that we will be using:

iptables -N SEQUENCE
iptables -N KNOCK1
iptables -N KNOCK2
iptables -N KNOCK3
iptables -N GRANTED

Add the traffic that we don’t want to handle with port knocking to the INPUT chain. We can start by accepting all current connections, which will allow our current SSH connection to remain unaffected:

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Accept all connections from the local machine:

iptables -A INPUT -i lo -j ACCEPT

If you have services that should remain externally and publicly accessible, like a web server, add a rule to allow this type of connection:

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Transfer all traffic that was not handled in the above rules to our SEQUENCE chain:

iptables -A INPUT -j SEQUENCE

LEVEL 1

When a client connects, we need to verify if they are sending a packet to our first target. If they are, we flag the client as passing the first test. If they are not, we simply drop the connection.We will first set the flag on the correct port attempt:

iptables -A KNOCK1 -p tcp --dport 1000 -m recent --name LEVEL1 --set -j DROP

Explanation : _ Appending a rule to the KNOCK1 chain. This rule will match when the protocol being used is “tcp” and when the port it is trying to access is “1000”, our first knock target. If this is true, the recent module (called with -m recent), flags the requesting IP address with the name LEVEL1 (with the –name LEVEL1 –set rule). This is the flag we will use to see if the second knock matches. The packet is dropped after the flag is set, so that the client does not know if anything happened. _

After that, we drop everything:

iptables -A KNOCK1 -j DROP

This rules will either match and flag the address if the correct port is ‘knocked’, or no action will be taken and the packet will be dropped.

LEVEL 2

The second knock (chain) will first have to remove the flag set by previous chain ( KNOCK1).

iptables -A KNOCK2 -m recent --name LEVEL1 --remove

and then use the same syntax from LEVEL1 to check whether this connection attempt is correct and match defined port:

iptables -A KNOCK2 -p tcp --dport 2000 -m recent --name LEVEL2 --set -j DROP

Like in previous step we simply set the LEVEL2 flag, indicating that the packet passed the second test.

Instead of just dropping packet ( like in previous step ) we pass the packet to our KNOCK1 chain. KNOCK1 will see wrong TCP port and drop the packet for us.

iptables -A KNOCK2 -j KNOCK1

This type of syntax is being used because of some ‘logical’ problems which can occur in some situations. In order to stay on the safe side, we’ll promote the best practice rule and you should use it on your production system. In your lab, while you test port-knocking technique, you can (probably) just drop the packet.

LEVEL 3

Level 3 is a mirror image of L2 step ( with different values). Process is the same: remove the flag from KNOCK2, Check the port and mark the packet with LEVEL3 flag

iptables -A KNOCK3 -m recent --name LEVEL2 --remove
iptables -A KNOCK3 -p tcp --dport 3000 -m recent --name LEVEL3 --set -j DROP
iptables -A KNOCK3 -j KNOCK1

GRANTED

iptables -A GRANTED -m recent --name LEVEL3 --remove
iptables -A GRANTED -p tcp --dport 22 -j ACCEPT
iptables -A GRANTED -j KNOCK1

Now, we have all of our chains configured but our general SEQUENCE chain. We now need to hook all of our sub-chains to SEQUENCE chain.

SEQUENCE

This is the place where we will implement a time limit and give our client a 30 second window to connect to the daemon.

iptables -A SEQUENCE -m recent --rcheck --seconds 30 --name LEVEL3 -j PASSED

We can also (and should) limit the time between ‘knocks’. As an example we’ll use a 10 second time limit .

The full process will require our clients to complete the next stage of the knock within 10 seconds, and then connect to the SSH daemon in 30 seconds.

iptables -A SEQUENCE -m recent --rcheck --seconds 10 --name LEVEL2 -j KNOCK3
iptables -A SEQUENCE -m recent --rcheck --seconds 10 --name LEVEL1 -j KNOCK2

As before, we’ll redirect all ‘bad’ traffic to KNOCK1.

iptables -A SEQUENCE -j KNOCK1

At this point, our port knocking is configured.

TEST

There are a number of utilities that can be used to generate the TCP packets and you can use whatever you like in your test. We like nmap.

Testing this looks like:

nmap -Pn --host_timeout 201 --max-retries 0 -p 1000 n0where.net
nmap -Pn --host_timeout 201 --max-retries 0 -p 2000 n0where.net
nmap -Pn --host_timeout 201 --max-retries 0 -p 3000 n0where.net

but we’ll script it to:

for x in 1000 2000 3000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x n0where.net && sleep 1; done && ssh [email protected]

This will knock on the first port, wait for a second, knock on the next, and so on until the sequence is complete. It will then attempt to connect the the server’s SSH daemon.

To make things even easier we can .sh this

nano knocknock



#!/bin/bah

ports="1000 2000 3000"
host="n0where.net"

for x in $ports
do
    nmap -Pn --host_timeout 201 --max-retries 0 -p $x $host
    sleep 1
done
ssh user@${host}

Save and close the file.

Make the file executable with this command:

chmod 755 knocknock

Now, we can connect to our server by typing:

./knocknock

Keep in mind that iptables rules are not persistent ! You can make your firewall rules persistent by downloading the following package:

apt-get install iptables-persistent
service iptables-persistent start

EoF

Port knocking is a flexible and customisable system. In addition to mitigating brute force password attacks and the inevitable growth in logs associated with the process daemon, port knocking also protects against protocol vulnerability exploits. If an exploit was discovered that could compromise a daemon in its default configuration, using port knocking on the listening port reduces the possibility of compromise until the software or process is updated. Authorized users would continue to be served once they provide the correct knock sequence while random access attempts would be ignored.

Port knocking can be problematic on networks exhibiting high latency. Port knocking depends on packets arriving in the correct sequence to access its designed functionality. TCP/IP was designed to function by assembling out of order packets into a coherent message. In these situations, the only solution is for the client to continue resending the correct sequence of packets on a periodic basis until the sequence is acknowledged by the server.

Port knocking should only be viewed as part of an overall network defense strategy providing protection against random and targeted attacks, not as complete standalone solution.

Network Security Professionals have largely ignored port knocking as a solution in the past since early implementations relied solely on providing the correct port combinations to achieve access. Modern port knock systems incorporate features such as secure cryptographic hashes, blacklists, whitelists and dynamic attack responses to further increase system capability. Port knocking is an effective means of maximizing server resources on internet facing networks.

Properly implemented port knocking does not lower the overall security of a system. It is an effective measure that provides an additional layer of security with minimal server resource overhead. At worst, systems such as port knocking introduce new security issues through poor implementation or expose ambivalent administration attitudes through situations such as risk compensation.

Port knocking should NOT be used as the sole authentication mechanism for a server. It must be combined with other forms of authentication that are not vulnerable to replay or man-in-the-middle attacks for the whole system to be effective.

JSON