December 10, 2008

Port Knocking - Firewall Security I

There has been a lot of buzz lately on security layer when it comes to running services/open ports and how to step away from the security risk line, at least with just one step.

Port Knocking can be summarized in three steps

  1. My service’s port is locked by default

  2. My service’s port will not open unless you send some packets to a sequence of port I selected

  3. My service’s port therefore remains unseen to brute force bots and script kiddies scanners.

In this first part of Firewall Security, I will go over the setup and configuration of a basic port knocking deployment on a Centos FTP server using knockd

knockd is available on rmpforge, so feel free to grab the rpm from the mirror or simply yum install knockd if you have the rpmforge mirror added to your repositories.

knockd uses a single configuration file which is /etc/knockd.conf

In this study case, we will focus on securing port 21 for our FTP server application.

(I am assuming, you currently have port 21 blocked on your firewall and you are using iptables)

[sourcecode language=‘bash’]

[options] logfile = /var/log/knockd.log

[openFTP] sequence = 2000,3455,6789 seq_timeout = 10 tcpflags = syn command = /sbin/iptables -I INPUT 1 -p tcp -s 192.168.2.107 -d 192.168.2.201 –dport 21 -m state –state NEW,ESTABLISHED -j ACCEPT

[closeFTP] sequence = 6789,3455,2000 seq_timeout = 10 tcpflags = syn command = /sbin/iptables -D INPUT 1

[/sourcecode]

start the knockd server with

[sourcecode language=‘bash’]

/usr/sbin/knockd -d

[/sourcecode]

(keep in mind, by default knockd will start listening on interface eth0)

and voila… port 21 will open on the firewall once, the corresponding port combinaison as specified in the configuration file will be met..

For testing, use knockd client (http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki) and knock on the port sequence of your ftp server.

—- Some piece of advises

  1. Keep in mind, this setup provides you with only one single point of failure… whenever knockd fails, you will be left with no remote connectivity (especially for those locking out ssh port)… To prevent this, make sure to monitor the knockd daemon and to start it in case of failure

  2. This security layer isn’t enough! and actually present with some potential security risks! the right port combinaison could easily be sniffed from the client to the server, thus resulting in an attacker knowing the exact port combinasion…

  3. For each setup sequence, you will need to allocate a sequence of port, keep in mind, those ports need to be exclusively allocated to knockd… choose your sequences carefully!

Cheers,