Highland Linux User Group

definition

Broadly, port knocking (PK on wikipedia) is a form of host-to-host communication in which information flows across closed ports. There are various variants of the port knocking method - information may be encoded into a port sequence or a packet-payload. In general, data are transmitted to closed ports and received by a monitoring daemon which intercepts the information without sending a receipt to the sender.

Recently a physical knock detecting device that does to the door what port knock does to your server has been reported. This knock detector is mounted on the inside of a door and listens to ... you guessed it, secret knocks. Once a knock is detected, the device unlocks the door.

In one instance, port knocking refers to a method of communication between two computers (arbitrarily named here client and server) in which information is encoded, and possibly encrypted, into a sequence of port numbers. This sequence is termed the knock. Initially, the server presents no open ports to the public and is monitoring all connection attempts. The client initiates connection attempts to the server by sending SYN packets to the ports specified in the knock. This process of knocking is what gives port knocking its name. The server offers no response to the client during the knocking phase, as it "silently" processes the port sequence. When the server decodes a valid knock it triggers a server-side process.
port knocking in 4 easy steps

step 1 (A) client cannot connect to application listening on port n; (B) client cannot establish connection to any port

step 2 | (1,2,3,4) client connects to a well-defined set of ports in a sequence that contains an encrypted message by sending SYN packets; client has a priori knowledge of the port knocking daemon and its configuration, but receives no acknowledgement during this phase because firewall rules preclude any response

step 3 | (A) server process (a port knocking daemon) intercepts connection attempts and interprets (decrypts and decodes) them as comprising an authentic "port knock"; server carries out specific task based on content of port knock, such as opening port n to client

step 4 | (A) client connects to port n and authenticates using application's regular mechanism
The definition of a valid knock is arbitrary, and up to the implementer. The server-side process is also arbitrary, and up to the implementer. The trigger may result in dynamic modification of firewall rules or other administrative system events. Encoding and encrypting information into a series of ports and sending information using SYN packets is one of the simplest forms of port knocking. A variety of implementations extend this scheme.
Brief

Port knocking is a method of establishing a connection to a networked computer that has no open ports look up port on webopedia.com look up port on FOLDOC . Before a connection is established, ports are opened using a port knock sequence, which is a series of connection attempts to closed ports. A remote host generates and sends an authentic knock sequence in order to manipulate the server's firewall look up firewall on webopedia.com look up firewall on FOLDOC rules to open one or more specific ports. These manipulations are mediated by a port knock daemon, running on the server, which monitors the firewall log file for connection attempts which can be translated into authentic knock sequences. Once the desired ports are opened, the remote host can establish a connection and begin a session. Another knock sequence may used to trigger the closing of the port.
Applicability

Port knocking is a suitable form of hardening hosts that house users who require continual access to services and data from any location and that are not running public services, such as SMTP look up SMTP on webopedia.com look up SMTP on FOLDOC or HTTP look up HTTP on webopedia.com look up HTTP on FOLDOC . Port knocking is used to keep all ports closed to public traffic while flexibly opening and closing ports to traffic from users who have authenticated themselves with a knock sequence. This on-demand IP-based filtering which is triggered by a remote user can offers the advantages of IP-based filtering without the limitation usually associated with maintaining IP rules. Port knocking cannot be used to protect public services - such protection cannot be effective if the knock sequence, or a method to generate it, is made public.

Port knocking can be used whenever there is a need to transfer information across closed ports. The port knock daemon can be implemented to repond in any suitable way to an authentic port knock. The knock may be used to communicate the knock information silently and/or to trigger an action. This is a form of IP over closed ports.

The simplest implementation of port knocking uses a log file to interface with the firewall software. This simple approach makes port knocking highly accessible for home users who would like to harden their *NIX systems. One of the strong advantages of port knocking is that the protected services do not require any modification. Port knocking is easy to set up and presents no performance issues when dealing with a modest number of incoming connections.
Limitations

Port knocking as desribed here is one implementation of a more general idea. It is not necessary for the firewall log file to be involved in the process. A robust implementation interfaces with the server's IP stack more closely. Nor is it strictly necessary for the knocks to come as a series of connection attempts. For example, the knock may be encapsulated in the data payload of a single packet that is sent to a closed port.

There will be situations in which port knocking is ideally suitable, such as remote administration provided by a latent, on-demand SSH service. In other cases port knocking is not the right answer.
Efforts by Others

I'm not the first one with the idea of using closed ports to enhance security. I list other prior-art projects, such as cd00r and SAdoor, and current implementations of port knocking (Implementations).
Citing

When citing port knocking, please use

* Krzywinski, M. 2003. Port Knocking: Network Authentication Across Closed Ports. SysAdmin Magazine 12: 12-17.

I try to maintain a list of port knocking articles and presentations.

source: http://www.portknocking.org/

application

This section provides some examples of how port knocking can be used to increase the security of a hypothetical networked host. Try using the Knocking Lab to construct your own port knocks. The main strength of port knocking is the facility to close all ports to all incoming IP addresses, while maintaining a mechanism of establishing a connection using a proper knock sequence. Risks associated with application vulnerabilities are mitigated if ports remain closed and are opened only by legitimate users. Quite a bit of the examples below are taken from the article in SysAdmin magazine (June, 2003).
opening ssh (tcp/22) with a simple knock sequence

Suppose you have a networked system and you need to connect using ssh. Telnet has finally become taboo, and the use of ssh is wide spread. Since ssh can itself provide a tunnel for various ports, it is sufficient to use this single application for user sessions.

If you have a host which is not running any public network service (mail, web, etc) you can maximally protect this host by closing all privileged and all well-known ports. To close these ports using IPCHAINS, the following commands need to be issued.



This will cause ports 0-1023 to refuse any TCP connections, without sending ICMP error packets back to the client. The IP of the networked host is FIREWALL. Each connection attempt will be logged. If someone from IP address CLIENT attempts to connect to FIREWALL the log file will show entries such as


A daemon monitoring the log file can detect these connection attempts to ports 102, 100, 100, 103 from the same IP address. This particular port sequence could trigger the daemon toopen port ssh (tcp/22). The daemon would execute the following command



Another sequence can be used to close the port. For example, 103, 100, 100, 102 could be used to trigger the deletion of the rule that was dynamically created to allow CLIENT to connect.



In this example, a remote user has opened port ssh (tcp/22) to IP address CLIENT by making TCP connections to ports 102, 100, 100, 103 and subsequently closed the ssh (tcp/22) port to their IP by knocking on ports 103, 100, 100, 102.
Encrypted Port Knocks

The 4-port knocks in the previous example provided limited protection against packet sniffing, since the knock was independent of the connecting IP address. Anyone on the network looking at packets could reconstruct the sequence and use it to gain access to the ssh (tcp/22) port. In order to reduce the risk of the knock being deconstructed and gainfully executed by a third-party, it should contain the client IP address and be encrypted.

For example, the knock could be comprised of the following


where IPbx is the x byte of the IP address to which port PORT will be opened for TIME minutes. Using the IP address in the knock allows you to open the port to an arbitrary IP address, not just the one initiating the knock. For example, to open port ssh (tcp/22) for 15 minutes for the IP address 142.103.205.1 the knock would be comprised of


The final CHECKSUM field provides validation of a proper knock sequence and can be defined as



In the above example, the check sum is 488 mod 255 = 233. The 7 digits (in the range 0-255; thus, these are bytes or chars) making up the knock can be encrypted using some appropriate method (e.g. DES, Blowfish, RSA), or a one time pad for maximum security. I'll talk about one time pads later. The client would carry out the following steps


where the encode(KNOCK) step would be done to map the encrypted knock onto a range of ports (e.g. 255 ports in the range 745-1000). If the knock is comprised solely of values in the range 0-255 and the encoding is into unsigned chars (0-255) then the length of the encoded sequence is always the same. The port knock daemon monitoring the file would attempt to apply the process


to every incoming sequence. If the sequence was malformed, the DECRYPT step would fail. If the sequence was successfully decrypted, the CHECKSUM would have to match in order for the sequence to be passed.
Encrypting with Perl

I'll show an example of using Perl to encrypt and decrypt a port knock sequence. The module Crypt::CBC is a very useful block-chaining cryptography module which acts as a proxy to the implementations of encryption algorithms like Crypt::IDEA, Crypt::Blowfish, etc. The implementation typically require that data be processed in same-sized chunks and the block-chaining module allows encryption of arbitrary strings. To try this code out you must have the Crypt::CBC and Crypt::XXX modules installed if you want to use the XXX encryption algorithm. These are available from CPAN.

The first thing to do is create a cipher object using Crypt::CBC. To create the cipher, a password is needed (e.g., "knock") and the name of the algorithm to encode the knock (e.g., Blowfish). In the act of encryption an IV (initialization vector) can be used to ensure that encrypting the same data will result in a different encrypted string. This is an important part of encryption. In this example, an IV vector is not used (prepend_iv=>0) to keep the knock sequence short.


Now that a cipher is prepared, the a list of values can be encrypted. Let's use the list (142,103,205,1,22,15) as from the example above.



Decrypting the knock sequence requires the creation of a cipher and the knowledge of the proper password and algorithm. Given the encrypted knock sequence (966, 914, ..., 932), first the sequence is mapped back to the range 0-255 and then it is decrypted.



Encrypting 7 numbers produces an 8 digit knock sequence. Remember that initialization vector I talked about above? Let's implement an IV and see how it changes the knock sequence. In this case, the IV will be a random 4 digit number.


Given the same knock payload as before, (142, 103, 205, 1, 22, 15, 233), here are some encrypted knock sequences for various initialization vectors.



As promised, the encrypted sequence is different if different IV values are used. The use of an IV increases the size of the knock sequence to 16+n for an IV of length n (e.g., an 8 digit IV will create a 24 digit knock sequence).

i don't like the idea of port knocking very much to be honest.

There are ways (much simpler ways) to open port remotely as i have described in other articles.