Difference between revisions of "Portknocking"
m |
m (→Advanced mode) |
||
(2 intermediate revisions by one user not shown) | |||
Line 14: | Line 14: | ||
https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_PORTKNOCK | https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_PORTKNOCK | ||
+ | |||
+ | And then follow the instructions in this document to configure portknocking for your system. | ||
= Modes = | = Modes = | ||
Line 57: | Line 59: | ||
23:7,8,9,10,11 | 23:7,8,9,10,11 | ||
</pre> | </pre> | ||
+ | |||
+ | The port number list represents the ports that must be "knocked", and the order in which the knock must occur. In the example above the sequence for port 22 is 1,2,3,4,5. If you were to connect out of sequence, 1,2,5,3,4 the knock would not be recognized. Think of this as a "combination lock" for the port. The order also matters. | ||
Step 4) Implement the new firewall rules | Step 4) Implement the new firewall rules | ||
Line 98: | Line 102: | ||
Note: The simple and advanced formats are delimited differently, '''on purpose''', to help prevent accidentally mixing the two files up. They are not compatible with each other. | Note: The simple and advanced formats are delimited differently, '''on purpose''', to help prevent accidentally mixing the two files up. They are not compatible with each other. | ||
+ | |||
+ | = Using = | ||
+ | |||
+ | Once you have your portknocking configuration enabled and configured, then you can start using the portknocking system. Each time you want to connect to a port that you have configured to be protected with portknocking you will need to send the "knock" sequence. This section describes how to do this. | ||
+ | |||
+ | == Simple Mode == | ||
+ | |||
+ | Lets say you configured ASL to protect port 22, and to only allow access to it if you connect to ports 2002, 2001 and then 2004. In that order. You can do this by using a simple tool like telnet to connect to these ports. Keep in mind that the telnet connection will not complete, because nothing is listening on those ports, so all you want is for the initial connect attempt to occur. Then kill the telnet and start the next one. For example: | ||
+ | |||
+ | <pre> | ||
+ | $ telnet yourserver 2002 # first knock | ||
+ | $ telnet yourserver 2001 | ||
+ | $ telnet yourserver 2004 # last knock | ||
+ | $ ssh user@yourserver | ||
+ | </pre> | ||
+ | |||
+ | == Advanced mode == | ||
+ | |||
+ | ASL includes an advanced portknocking client that works on systems with bash and python-crypto installed. | ||
+ | |||
+ | Step 1) | ||
+ | |||
+ | Your time on your client and on your server must be synced. The advanced knock uses time as part of the One Time Password. OTPs are are only good for 60 seconds, and time synchronization is vital to ensure that your OTP will work. | ||
+ | |||
+ | To sync your server, if your server is not already synced via a good well configured NTP daemon, you can use the rdate command. As root run these commands: | ||
+ | '' | ||
+ | rdate time-a.nist.gov | ||
+ | |||
+ | /sbin/hwclock --systohc'' | ||
+ | |||
+ | Step 2) | ||
+ | |||
+ | Open the port with your open knock secret. | ||
+ | |||
+ | On the client, run the knocking tool like this: | ||
+ | |||
+ | ''knock.sh <dst> <PORT dst> <open_secret>'' | ||
+ | |||
+ | Example: | ||
+ | |||
+ | knock.sh 192.168.0.1 2000 your_opensecret | ||
+ | |||
+ | Step 3) | ||
+ | |||
+ | Connect to the port. | ||
+ | |||
+ | Step 4) | ||
+ | |||
+ | Close the port. | ||
+ | |||
+ | ''knock.sh <dst> <PORT dst> <close_secret>'' | ||
+ | |||
+ | Example: | ||
+ | |||
+ | knock.sh 192.168.0.1 2000 your_closesecret | ||
+ | |||
+ | = Troubleshooting = | ||
+ | |||
+ | == Simple Mode == | ||
+ | |||
+ | == Advanced Mode == | ||
+ | |||
+ | Remember that these are One Time Passwords, so you can not reuse the same hmac, letting you knock just once per minute (because of the epoch_min). |
Latest revision as of 11:31, 10 September 2013
Contents |
[edit] Introduction
ASL 4 introduces the simple and advanced portknocking engines to the ASL security suite.
Portknocking is a method of externally opening closed ports on a firewall by generating a connection attempt using either a set of prespecified closed ports, or by sending special packets to the firewall. ASL 4 supports both methods.
For example:
If you did not have port 22 open on your system, but wanted to open it just for your IP and just when you wanted it to be open, you could use port knocking to accomplish this. You can also use portknocking if you have a port open already, but only to specific IPs, but need to provide temporary access from dynamic IPs and dont want to have to add these IPs to your allowed lists.
[edit] Enabling
To use the portknocking engine you will need to enable portknocking in ASL. Please see this option to enable the engine:
https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_PORTKNOCK
And then follow the instructions in this document to configure portknocking for your system.
[edit] Modes
ASL has two modes for portknocking, the "simple" and "advanced" modes. You can use either, or both of them at the same time. You can not, however, use both method to protect the same port.
[edit] Simple
The simple mode, or "classic" allows you to define a series of "knock" ports to connect to via TCP to open a closed port. For example, you can set port 22 to be closed, and open port 22 by connecting to ports 1,2,3,4 and 5 via TCP. You can use either a portknocking client, or telnet to "knock" on the ports.
[edit] Advanced
The advanced mode allows you to send a One Time Password on a special port to open a closed port. This helps to prevent replay attacks against the "classic" port knocking method where if an attacker could see your knock sequence, via a sniffer, they could repeat the sequence and also open the port.
[edit] Configuration
Once you have port knocking enabled, as described above, you will then need to configure the ports to protect, and the knock ports and optionally the open and close secrets that will be used to generate the One Time Password.
[edit] Simple mode
Step 1) Enable the portknocking engine:
https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_PORTKNOCK
Step 2) Enable Simple portknocking
https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_PORTKNOCK_SIMPLE
Step 3)
Create this file:
/etc/asl/firewall/simple-portknock-list
The format for the file is provided below:
port_to_be_protected:knock_port1,knock_port2,etc,knockportN
A single line for each port. For example:
22:1,2,3,4,5 23:7,8,9,10,11
The port number list represents the ports that must be "knocked", and the order in which the knock must occur. In the example above the sequence for port 22 is 1,2,3,4,5. If you were to connect out of sequence, 1,2,5,3,4 the knock would not be recognized. Think of this as a "combination lock" for the port. The order also matters.
Step 4) Implement the new firewall rules
Run this command as root:
asl -s -f
[edit] Advanced mode
Step 1) Enable the portknocking engine:
https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_PORTKNOCK
Step 2) Enable advanced portknocking:
https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_PORTKNOCK_ADVANCED
Step 3)
Create this file:
/etc/asl/firewall/advanced-portknock-list
The format for the file is provided below:
port_to_be_protected,knock_port,open_secret,close_secret
A single line for each port. For example:
22,2000,hipjazz,superawesome 23,2001,elite,october
Step 4) Implement the new firewall rules
Run this command as root:
asl -s -f
Note: The simple and advanced formats are delimited differently, on purpose, to help prevent accidentally mixing the two files up. They are not compatible with each other.
[edit] Using
Once you have your portknocking configuration enabled and configured, then you can start using the portknocking system. Each time you want to connect to a port that you have configured to be protected with portknocking you will need to send the "knock" sequence. This section describes how to do this.
[edit] Simple Mode
Lets say you configured ASL to protect port 22, and to only allow access to it if you connect to ports 2002, 2001 and then 2004. In that order. You can do this by using a simple tool like telnet to connect to these ports. Keep in mind that the telnet connection will not complete, because nothing is listening on those ports, so all you want is for the initial connect attempt to occur. Then kill the telnet and start the next one. For example:
$ telnet yourserver 2002 # first knock $ telnet yourserver 2001 $ telnet yourserver 2004 # last knock $ ssh user@yourserver
[edit] Advanced mode
ASL includes an advanced portknocking client that works on systems with bash and python-crypto installed.
Step 1)
Your time on your client and on your server must be synced. The advanced knock uses time as part of the One Time Password. OTPs are are only good for 60 seconds, and time synchronization is vital to ensure that your OTP will work.
To sync your server, if your server is not already synced via a good well configured NTP daemon, you can use the rdate command. As root run these commands: rdate time-a.nist.gov
/sbin/hwclock --systohc
Step 2)
Open the port with your open knock secret.
On the client, run the knocking tool like this:
knock.sh <dst> <PORT dst> <open_secret>
Example:
knock.sh 192.168.0.1 2000 your_opensecret
Step 3)
Connect to the port.
Step 4)
Close the port.
knock.sh <dst> <PORT dst> <close_secret>
Example:
knock.sh 192.168.0.1 2000 your_closesecret
[edit] Troubleshooting
[edit] Simple Mode
[edit] Advanced Mode
Remember that these are One Time Passwords, so you can not reuse the same hmac, letting you knock just once per minute (because of the epoch_min).