Port knocking

Last updated

In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A variant called single packet authorization (SPA) exists, where only a single "knock" is needed, consisting of an encrypted packet. [1] [2] [3] [4]

Contents

The primary purpose of port knocking is to prevent an attacker from scanning a system for potentially exploitable services by doing a port scan, because unless the attacker sends the correct knock sequence, the protected ports will appear closed.

Overview

Port knocking is usually implemented by configuring a daemon to watch the firewall log file for connection attempts to certain points, and then to modify the firewall configuration accordingly. [5] It can also be performed on the kernel level (using a kernel-level packet filter such as iptables [6] ) or by a userspace process examining packets at a higher level (using packet capture interfaces such as pcap), allowing the use of already "open" TCP ports to be used within the knock sequence.

The port "knock" itself is similar to a secret handshake and can consist of any number of TCP, UDP or even sometimes ICMP and other protocol packets to numbered ports on the destination machine. The complexity of the knock can be anything from a simple ordered list (e.g. TCP port 1000, TCP port 2000, UDP port 3000) to a complex time-dependent, source-IP-based and other-factor-based encrypted hash.

A portknock daemon on the firewall machine listens for packets on certain ports (either via the firewall log or by packet capture). The client user would carry an extra utility, which could be as simple as netcat or a modified ping program or as complicated as a full hash-generator, and use that before they attempted to connect to the machine in the usual way.

Most portknocks are stateful systems in that if the first part of the "knock" has been received successfully, an incorrect second part would not allow the remote user to continue and, indeed, would give the remote user no clue as to how far through the sequence they failed. Usually the only indication of failure is that, at the end of the knock sequence, the port expected to be open is not opened. No packets are sent to the remote user at any time.

While this technique for securing access to remote network daemons has not been widely adopted by the security community, it has been actively used in many rootkits even before year 2000.[ citation needed ]

Benefits

Defeating port knocking protection requires large-scale brute force attacks in order to discover even simple sequences. An anonymous brute force attack against a three-knock TCP sequence (e.g. port 1000, 2000, 3000) would require an attacker to test every three port combination in the 165535 range and then scan each port between attacks to uncover any changes in port access on the target system. Since port knocking is by definition stateful, the requested port would not open until the correct three-port number sequence had been received in the correct order and without receiving any other intervening packets from the source. The average case scenario requires approximately 141 trillion (655353 / 2) packets to determine a correct three-port number. This technique, in combination with knock attempt-limiting, longer or more complex sequences and cryptographic hashes, makes successful port access attempts extremely difficult.

Once the successful port knock sequence is supplied to open a port, firewall rules generally only open the port to the IP address that supplied the correct knock, adding dynamic functionality to firewall behaviour. Instead of using a preconfigured static IP whitelist on the firewall, an authorised user situated anywhere in the world would be able to open any necessary port without assistance from the server administrator. The system could also be configured to allow the authenticated user to manually close the port once the session is over or to have it close automatically using a timeout mechanism. To establish a new session, the remote user would be required to reauthenticate using the correct sequence.

The stateful behaviour of port knocking allows several users from different source IP addresses to be at varying levels of port knock authentication simultaneously, allowing a legitimate user with the correct knock sequence through the firewall while the firewall itself is in the middle of a port attack from multiple IP addresses (assuming the bandwidth of the firewall is not completely consumed). From any other attacking IP address, the ports on the firewall will still appear to be closed.

Using cryptographic hashes inside the port knock sequence defends against packet sniffing between the source and target machines, preventing discovery of the port knock sequence or using the information to create traffic replay attacks to repeat prior port knock sequences.

Port knocking is used as part of a defense in depth strategy. Even if the attacker were to successfully gain port access, other port security mechanisms are still in place, along with the assigned service authentication mechanisms on the opened ports.

Implementation of the technique is straightforward, using at the bare minimum a shell script on the server and a Windows batch file or command line utility on the client. Overhead on both the server and client in terms of traffic, CPU and memory consumption is minimal. Port knock daemons are not complex to code, with a low audit burden.

A port knock system implemented on password-authenticated services, like SSH, sidesteps the issue of brute force password attacks on logins. In the case of SSH, the SSH daemon is not activated without the correct port knock, and the attack is filtered by the TCP/IP stack rather than using SSH authentication resources. To the attacker, the daemon is inaccessible until the correct port knock is supplied.

Security considerations

Port knocking is a flexible, customisable system add-in. If the administrator chooses to link a knock sequence to an activity such as running a shell script, other changes such as implementing additional firewall rules to open ports for specific IP addresses can easily be incorporated into the script. Simultaneous sessions are easily accommodated.

By using strategies like dynamic length and pool of length, the probability of hacking knock sequences can be reduced to near zero. [7]

In addition to mitigating brute force password attacks and the inevitable growth in logs associated with the process daemon, port knocking also protects against protocol vulnerability exploits. If an exploit were discovered that could compromise a daemon in its default configuration, using port knocking on the listening port reduces the possibility of compromise until the software or process is updated. Authorized users would continue to be served once they provide the correct knock sequence while random access attempts would be ignored.

Port knocking should only be viewed as part of an overall network defense strategy providing protection against random and targeted attacks, not as complete standalone solution.

Network security professionals have largely ignored port knocking as a solution in the past since early implementations relied solely on providing the correct port combinations to achieve access. Modern port knock systems incorporate features such as secure cryptographic hashes, blacklists, whitelists and dynamic attack responses to further increase system capability. Port knocking is an effective means of maximizing server resources on internet facing networks.[ citation needed ]

Properly implemented port knocking does not lower the overall security of a system. It is an effective measure that provides an additional layer of security with minimal server resource overhead. At worst, systems such as port knocking introduce new security issues through poor implementation or expose ambivalent administration attitudes through situations such as risk compensation.[ citation needed ]

Disadvantages

Port knocking is totally dependent on the robustness of the port knocking daemon. The failure of the daemon will deny port access to all users and from a usability and security perspective, this is an undesirable single point of failure. Modern port knocking implementations mitigate this issue by providing a process-monitoring daemon that will restart a failed or stalled port knocking daemon process.

Systems that do not use cryptographic hashes are vulnerable to IP address spoofing attacks. These attacks, a form of Denial of service, use port knocking functionality to lock out known IP addresses (e.g. administrator management stations) by sending packets with the spoofed IP address to random ports. Servers using static addressing are especially vulnerable to these types of denials of service as their addresses are well known.

Port knocking can be problematic on networks exhibiting high latency. Port knocking depends on packets arriving in the correct sequence to access its designed functionality. TCP/IP, on the other hand, is designed to function by assembling out of order packets into a coherent message. In these situations, the only solution is for the client to continue resending the correct sequence of packets on a periodic basis until the sequence is acknowledged by the server.

Port knocking cannot be used as the sole authentication mechanism for a server. From a security perspective, simple port knocking relies on security through obscurity; unintended publication of the knock sequence infers compromise of all devices supporting the sequence. Furthermore, unencrypted port knocking is vulnerable to packet sniffing. A network trace of suitable length can detect the correct knock sequence from a single IP address and thus provide a mechanism for unauthorised access to a server and by extension, the attached network. Once compromised, the log files on the device are a source of other valid knock sequences, revealing another point of failure. Solutions such as treating each knock sequence as a one-time password defeat the aim of simplified administration. In practice, port knocking must be combined with other forms of authentication that are not vulnerable to replay or man-in-the-middle attacks for the whole system to be effective.

Related Research Articles

The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.

Telnet is a client/server application protocol that provides access to virtual terminals of remote systems on local area networks or the Internet. It is a protocol for bidirectional 8-bit communications. Its main goal was to connect terminal devices and terminal-oriented processes.

Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. Devices that typically support SNMP include cable modems, routers, switches, servers, workstations, printers, and more.

<span class="mw-page-title-main">Network address translation</span> Protocol facilitating connection of one IP address space to another

Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used to bypass the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced, but could not route the network's address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and data connections between the client and the server. FTP users may authenticate themselves with a plain-text sign-in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it. For secure transmission that protects the username and password, and encrypts the content, FTP is often secured with SSL/TLS (FTPS) or replaced with SSH File Transfer Protocol (SFTP).

<span class="mw-page-title-main">Proxy server</span> Computer server that makes and receives requests on behalf of a user

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. It improves privacy, security, and performance in the process.

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. RADIUS was developed by Livingston Enterprises in 1991 as an access server authentication and accounting protocol. It was later brought into IEEE 802 and IETF standards.

In computing, Internet Key Exchange is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509 certificates for authentication ‒ either pre-shared or distributed using DNS ‒ and a Diffie–Hellman key exchange to set up a shared session secret from which cryptographic keys are derived. In addition, a security policy for every peer which will connect must be manually maintained.

Unix security refers to the means of securing a Unix or Unix-like operating system. A secure environment is achieved not only by the design concepts of these operating systems, but also through vigilant user and administrative practices.

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded. A SOCKS server accepts incoming client connection on TCP port 1080, as defined in RFC 1928.

Terminal Access Controller Access-Control System refers to a family of related protocols handling remote authentication and related services for network access control through a centralized server. The original TACACS protocol, which dates back to 1984, was used for communicating with an authentication server, common in older UNIX networks including but not limited to the ARPANET, MILNET and BBNNET. It spawned related protocols:

<span class="mw-page-title-main">Port forwarding</span> Computer networking feature

In computer networking, port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway, by remapping the destination IP address and port number of the communication to an internal host.

OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

Netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers. Netfilter offers various functions and operations for packet filtering, network address translation, and port translation, which provide the functionality required for directing packets through a network and prohibiting packets from reaching sensitive locations within a network.

FTPS is an extension to the commonly used File Transfer Protocol (FTP) that adds support for the Transport Layer Security (TLS) and, formerly, the Secure Sockets Layer cryptographic protocols.

In computer networks, a tunneling protocol is a communication protocol which allows for the movement of data from one network to another. It can, for example, allow private network communications to be sent across a public network, or for one network protocol to be carried over an incompatible network, through a process called encapsulation.

Slirp is a software program that emulates a PPP, SLIP, or CSLIP connection to the Internet using a text-based shell account. Its original purpose became largely obsolete as dedicated dial-up PPP connections and broadband Internet access became widely available and inexpensive. It then found additional use in connecting mobile devices, such as PDAs, via their serial ports. Another significant use case is firewall piercing/port forwarding. One typical use of Slirp creates a general purpose network connection over a SSH session on which port forwarding is restricted. Another use case is to create external network connectivity for unprivileged containers.

The Ident Protocol, specified in RFC 1413, is an Internet protocol that helps identify the user of a particular TCP connection. One popular daemon program for providing the ident service is identd.

<span class="mw-page-title-main">Mosh (software)</span> Remote terminal

In computing, Mosh is a tool used to connect from a client computer to a server over the Internet, to run a remote terminal. Mosh is similar to SSH, with additional features meant to improve usability for mobile users. The major features are:

References

  1. Michael Rash (2004) Combining Port Knocking and Passive OS Fingerprinting with fwknop
  2. Michael Rash (2006). Single Packet Authorization with Fwknop.
  3. Michael Rash (2007). Protecting SSH Servers with Single Packet Authorization.
  4. Moxie Marlinspike (2009). Using knockknock for Single Packet Authorization.
  5. "PortKnocking - Community Help Wiki". help.ubuntu.com. Retrieved 2023-07-08.
  6. Justin Ellingwood (2014-01-17). "How To Configure Port Knocking Using Only Iptables on an Ubuntu VPS". digitalocean.com. Retrieved 2016-04-24.
  7. Shiraz, Muhammad; Boroumand, Laleh; Gani, Abdullah; Khan, Suleman (2019-10-29). "An Improved Port Knocking Authentication Framework for Mobile Cloud Computing". Malaysian Journal of Computer Science. 32 (4): 269–283. doi: 10.22452/mjcs.vol32no4.2 . ISSN   0127-9084.