Difference between revisions of "Portknocking"

From Atomicorp Wiki
Jump to: navigation, search
m
m (Enabling)
Line 14: Line 14:
  
 
https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_PORTKNOCK
 
https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_PORTKNOCK
 +
 +
And then follow the instructions in this document to configure portknocking for your system.
  
 
= Modes =
 
= Modes =

Revision as of 18:35, 4 September 2013

Contents

Introduction

ASL 4 introduces the simple and advanced portknocking engines to the ASL security suite.

Portknocking is a method of externally opening closed ports on a firewall by generating a connection attempt using either a set of prespecified closed ports, or by sending special packets to the firewall. ASL 4 supports both methods.

For example:

If you did not have port 22 open on your system, but wanted to open it just for your IP and just when you wanted it to be open, you could use port knocking to accomplish this. You can also use portknocking if you have a port open already, but only to specific IPs, but need to provide temporary access from dynamic IPs and dont want to have to add these IPs to your allowed lists.

Enabling

To use the portknocking engine you will need to enable portknocking in ASL. Please see this option to enable the engine:

https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_PORTKNOCK

And then follow the instructions in this document to configure portknocking for your system.

Modes

ASL has two modes for portknocking, the "simple" and "advanced" modes. You can use either, or both of them at the same time. You can not, however, use both method to protect the same port.

Simple

The simple mode, or "classic" allows you to define a series of "knock" ports to connect to via TCP to open a closed port. For example, you can set port 22 to be closed, and open port 22 by connecting to ports 1,2,3,4 and 5 via TCP. You can use either a portknocking client, or telnet to "knock" on the ports.

Advanced

The advanced mode allows you to send a One Time Password on a special port to open a closed port. This helps to prevent replay attacks against the "classic" port knocking method where if an attacker could see your knock sequence, via a sniffer, they could repeat the sequence and also open the port.

Configuration

Once you have port knocking enabled, as described above, you will then need to configure the ports to protect, and the knock ports and optionally the open and close secrets that will be used to generate the One Time Password.

Simple mode

Step 1) Enable the portknocking engine:

https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_PORTKNOCK

Step 2) Enable Simple portknocking

https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_PORTKNOCK_SIMPLE

Step 3)

Create this file:

/etc/asl/firewall/simple-portknock-list

The format for the file is provided below:

port_to_be_protected:knock_port1,knock_port2,etc,knockportN

A single line for each port. For example:

22:1,2,3,4,5
23:7,8,9,10,11

Step 4) Implement the new firewall rules

Run this command as root:

asl -s -f

Advanced mode

Step 1) Enable the portknocking engine:

https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_PORTKNOCK

Step 2) Enable advanced portknocking:

https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_PORTKNOCK_ADVANCED

Step 3)

Create this file:

/etc/asl/firewall/advanced-portknock-list

The format for the file is provided below:

port_to_be_protected,knock_port,open_secret,close_secret

A single line for each port. For example:

22,2000,hipjazz,superawesome
23,2001,elite,october

Step 4) Implement the new firewall rules

Run this command as root:

asl -s -f

Note: The simple and advanced formats are delimited differently, on purpose, to help prevent accidentally mixing the two files up. They are not compatible with each other.

Personal tools