Port knocking is a security tecnique that opens firewalls ports on demand, providing increased security on interfaces exposed to internet and at the same time allowing flexible access for allowed users.
From Wikipedia, "port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s).
Port knocking is client-server based: if we get our Routertech router run a port-knocking daemon, we'll be able to access from outside very securely potentially any service we might have on our LAN, shoud this be a NAS, a DB, an RDP, whatever, without even changing the default ports. Clearly, proper port forwarding must be configured on the router, but that's basic routing.
This tutorial doesn't involve any particularly dangerous steps - in any case, you're doing everything at your own risk
Should you find any errors, please let me know and I'll fix them.
In the binaries section viewtopic.php?f=28&t=1602&p=24399#p24399, you'll find the executable: knockd. Here is what to do to make it work. On my Dlink G624T it works flawlessly.
- Load knockd on your router
Knockd is fat executable (compared to small routers memory) and barely fits into most of AR7-based cheap routers.
Two options then:- From Routertech 2.93 onward, you can create a partition in NVRam and host it there (in order to do that, READ CAREFULLY bullet #43 here firmware-faq/features.html). Once you do it, you can easily copy knockd using sotwares like WinSCP.
- Mount a local fileshare to host knokckd executable. Let's say you have a local CIFS NAS at 192.168.1.10. Copy knockd into your fileshare. Then, log into your Routertech router and mount the fileshare:
Confirm knockd is there:
Code: Select all
/var # smbmount //192.168.1.10/sharename /smbfs -o username=user,password=passCode: Select all
ls -l /smbfs
- knockd configuration example
Before running knockd, we need to configure its behavior. In this example, we want it to open the SSH port (22) on iptables for the knocking IP address if, and only if, a sequence of TCP-syn on port TCP:2000, UDP:3000, TCP:4000 is received. If the sequence is not completed in 15 seconds (seq_timeout) the knocking steps are reset and need to be restarted from the beginning. Be also aware that port 22 in this example will be open for an incoming connection just for 10 seconds (cmd_timeout): you need to open your SSH session by then, otherwise knockd will remove the allow-rule from iptables and you'll have to knock-in again. Once the SSH session is established, knockd will still remove the allow-rule, but know the session is in an established state, and then allowed by iptables (unless you have set it differently).Code: Select all
[options] logfile = /smbfs/knockd.log [opencloseSSH] sequence = 2000:tcp,3000:udp,4000:tcp seq_timeout = 15 tcpflags = syn start_command = iptables -I INPUT 1 -s %IP% -p tcp --dport 22 -j ACCEPT cmd_timeout = 10 stop_command = iptables -D INPUT 1 - Run knockd (server side)
This is the syntax to make our knockd server listen on our WAN interface. Note that NO PORTS need to be opened on the firewall since knockd sniffes traffic at layer 2 level.Code: Select all
/smbfs/knockd --interface ppp0 --config /smbfs/knockd.conf --verbose- --interface ppp0 : the name of your WAN interface. It could be different, if unsure, just type ifconfig command to verify which is the name of your WAN interface.
- --config /smbfs/knockd.conf : configuration file for knockd. It defines the knocking sequence to open a specific port on the firewall. Below you find an example, and I'm not going into the details of this, since it's very well explained here http://www.zeroflux.org/projects/knock.
- --verbose : not mandatory, it just prints on CLI what's happening on the terminal. It's useful at the beginning to ched knockd is properly working.
- What to do on client side
On the client side, to easily generate the proper knocking sequence, you can use the knock utility, available again here http://www.zeroflux.org/projects/knock for a variety of OS's. Here I'm considering the Windows version; here the explanation of parameters:Quite self-explanatory. Then we need to take one step further: when running directly knock with our sequence, it sends the packets apparently too fast and knockd will recognize only the first one, dropping all the others. I don't know whether this is related to the delay introduced by the sniffing driver on the router, but to make it work we need to slow down the knocking sequence.Code: Select all
C:\knock>knock.exe usage: knock [options] <host> <port[:proto]> [port[:proto]] ... options: -u, --udp make all ports hits use UDP (default is TCP) -v, --verbose be verbose -V, --version display version -h, --help this help example: knock myserver.example.com 123:tcp 456:udp 789:tcp
An easy way to do it is to script the execution of single knocks delaying in the middle. Here is an example for a windows batch file knockstart.bat (the stupid ping to a non-existing IP address is the idiot way I found to insert a 1s delay). Let's generate our TCP:2000, UDP:3000, TCP:4000 syn sequence:
Let's say our host is myhost.no-name.org, then we have to type:Code: Select all
REM Knocks at a given host passed as argument REM %1 is the hostname/IP address we want to knock at REM first knock knock.exe %1 2000:tcp @echo off ping 123.45.67.89 -n 1 -w 1000 > nul REM idiot way to wait 1s @echo on REM second knock knock.exe %1 3000:udp @echo off ping 123.45.67.89 -n 1 -w 1000 > nul REM idiot way to wait 1s @echo on REM third knock knock.exe %1 4000:tcp REM firewall sholud now be letting us in on the port specified in knockd.conf fileNow check on the console of our router: it should be showing something like this (I masked my real IP address):Code: Select all
c:\knock>knockstart.bat myhost.no-name.org
Now try an SSH connection (within 10 seconds) and your router will happily answer!Code: Select all
/smbfs # ./knockd --interface ppp0 --config knockd.conf --verbose listening on ppp0... X.X.X.X: opencloseSSH: Stage 1 X.X.X.X: opencloseSSH: Stage 2 X.X.X.X: opencloseSSH: Stage 3 X.X.X.X: opencloseSSH: OPEN SESAME opencloseSSH: running command: iptables -I INPUT 1 -s X.X.X.X -p tcp --dport 22 -j ACCEPT opencloseSSH: command returned non-zero status code (1)
Be aware that using the knocking utility on client side is not the only way to knock. Telnet, browsers, and other common clients can be used to generate TCP syn on desired ports.
PS:
Should you be interested into self-compiling this utility, you can use this toolchain http://doomed.profusehost.net/files/cro ... el.tar.bz2 to compile under linux for MIPS (the router is powered by a non-x86 cpu).
I could compile under Ubuntu 10.04, running inside a VM on VMware.
Be sure to 