Wednesday, September 15, 2010

Port Knocking

Someone recently asked me about securing SSH server. The only options I thought then was changing the port, disabling password interactive login, and enabling public/private key pair to authenticate. This should be enough in most cases. But, there's more. One of them is version cloaking. This can be done with a patch applied to the source of OpenSSH and recompile it. Another way to secure remote access is port knocking.

Its main principle is this. Port 22 is locked. You have to knock in a custom manner in order to get the port opened only for the incoming IP that knocked. The server side, includes a daemon called knockd looking for specific sequence of knocking on the server door. You can configure a specific order of ports to knock, a specific flag those packets should have, a sequence timeout, commands, and few more options. The command, in this case, will be to open port 22 for the incoming IP that knocked exactly in the same order the server is setup to listen. You can also use another sequence of knocking to close the same port, that actually deletes the firewall rule added earlier.

The client side, well, I tried around 3 port knocking clients, and the last one went well, being made by the same guys who did the server, This includes also a windows version that can be easily run from a command prompt window. You can configure the host it will knock, type of packet, order of ports, and so on.

Installation on Ubuntu is a very easy apt-get install knockd.
You'll be able to start the daemon by enabling it in /etc/default/knockd.
Configuration file is /etc/knockd.conf, and I've first used it using (almost) one of the configuration found on website:

logfile = /var/log/knockd.log

sequence = 7000,8000,9000
seq_timeout = 10
tcpflags = syn
command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

sequence = 9000,8000,7000
seq_timeout = 10
tcpflags = syn
command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT, this configuration, listens for TCP packets, with the flag syn, in a sequence of 7000, 8000, 9000, with a timeout of 10 seconds. After it detects that, it automatically grants port 22 access to the incoming IP. If the daemon gets the reverse order of knocking, it will automatically delete the rule, so, closing the port again for all IPs. Unfortunately, those knockings can be easily read on a packet sniffer between you and the secured server, but, it's how you can secure more a SSH server. Oh, and, in case you don't want to be left outside on the server, in case of daemon failure, you should get a script running that automatically checks if the daemon is running, and automatically restart it in case it's stopped.

That's all folks!

No comments:

Post a Comment