Port knocking

src: thecustomizewindows.com

In a computer network, knocking port is a port method that is opened externally on the firewall by generating connection attempts on a set of specified closed ports. Once the correct connection attempt sequence is received, firewall rules are dynamically modified to allow hosts that send connections to try to connect via a particular port. Variants called single packet authorizations exist, where only one "tap" is required, which consists of encrypted packets.

The main purpose of port knocking is to prevent attackers from scanning the system for potentially exploited services by scanning ports, because unless the attacker sends the correct tap order, the protected port will appear closed.

Video Port knocking

Overview

Port knocking is usually implemented by configuring daemons to view firewall log files for connection attempts to specific points, and then modifying the appropriate firewall configuration. This can also be done at the kernel level (using kernel-level packet filters such as iptables) or with userspace processes checking packets at a higher level (using packet capture interfaces such as pcap), allowing the use of "open" TCP ports to be used in sequence knock.

The "knock" port itself is similar to a secret handshake and can consist of a number of TCP, UDP or even ICMP and other protocol packets to a numbered port on the destination machine. The complexity of a tap can be anything from a simple sequence list (eg TCP 1000 port, TCP 2000 port, UDP port 3000) to time-based encrypted hashes, IP-based sources, and other factor-based hashes.

The portknock daemon on the firewall machine listens to packets on a particular port (either through a firewall log or with packet capture). The client user will bring additional utilities, which can be as simple as netcat or a modified ping program or as complex as a hash-generator, and use them before attempting to connect to the machine in the normal way.

Most portknocks are stateful systems in that if the first part of the "tap" has been received successfully, the wrong second part will not allow remote users to continue and, indeed, will give the remote user no idea of â€‹â€‹how far their sequence failed. Usually the only indication of failure is that, at the end of the tap order, the expected open port is not opened. No packets sent to remote users at any time.

Although this technique to secure access to long distance network daemons has not been widely adopted by the security community, this technique has been used actively in many rootkits even before 2000.

Maps Port knocking

Benefits

Beating port knocking protection requires large-scale brute force attacks to find even simple sequences. An anonymous brute-force attack against three TCP-tapped sequences (eg port 1000, 2000, 3000) would require an attacker to test each combination of three ports in the 1-65535 range and then scan each port between attacks to uncover any changes in the access port on the system target. Since the knocking port is stateful in definition, the requested port will not open until the correct sequence of three port numbers has been received in the correct order and without receiving any other intervention packets from the source. The average scenario requires about 141 trillion (65535 ³ Ãƒ,/2) packets to determine the correct three-port number. This technique, in combination with tapping limiting attempts, longer or more complex sequences and cryptographic hash, makes successful port access attempts very difficult.

After successful port knock sequence is supplied to open ports, firewall rules generally only open ports to IP addresses that provide correct taps, add dynamic functions to firewall behavior. Instead of using a static IP whitelist that has been configured in the firewall, authorized users who are anywhere in the world will be able to open whatever ports are needed without help from the server administrator. The system can also be configured to allow authenticated users to manually close ports after the session or automatically close them using the timeout mechanism. To create a new session, remote users will be prompted to re-authenticate using the correct order.

The stateful port knocking behavior allows multiple users from multiple source IP addresses to be at different levels of port knock authentication simultaneously, enabling legitimate users with the proper sequence of taps through a firewall while the firewall itself is in the middle of a port attack from multiple IP addresses (with assuming firewall bandwidth is not fully consumed). From other attacking IP addresses, the ports on the firewall will still appear closed.

Using a cryptographic hash in the knockout port array retains against packet sniffing between source and target machine, preventing the invention of port knock array or using information to create a traffic replay attack to repeat the previous knockout sequence.

Port knocking is used as part of a deep defense strategy. Even if an attacker manages to gain port access, other port security mechanisms still exist, along with service authentication mechanisms set on open ports.

Implementation of this technique is very easy, using at least a shell script on the server and a Windows batch file or command line utility on the client. Overhead on servers and clients in terms of traffic, CPU and memory consumption is minimal. Port knock daemons are not complicated to encode; any kind of vulnerability in this code is clear and auditable.

The port knock system is applied to ports such as SSH to avoid the issue of brute force password attacks at login. In the case of SSH, the SSH daemon is not enabled without the correct port tapping, and the attack is filtered by the TCP/IP stack rather than using the SSH authentication source. For the attacker, the daemon can not be accessed until the correct port tapping is given.

src: coarseknocking.sourceforge.net

Security considerations

Port knocking is a flexible and customizable add-in system. If an administrator chooses to link a sequence to activity such as running a shell script, other changes such as applying additional firewall rules to open ports for specific IP addresses can easily be inserted into scripts. Simultaneous sessions are easily accommodated.

In addition to reducing brute force password attacks and inevitable log growth associated with the process daemon, the knocking port also protects against protocol vulnerability exploits. If an exploit is found that could harm a daemon in its default configuration, using the knocking port on the listening port reduces the likelihood of a compromise until the software or process is updated. Valid users will continue to be served once they provide the correct sequence of beats while random access attempts will be ignored.

Port knocking should only be seen as part of an overall network defense strategy that provides protection against random and targeted attacks, not as a complete self-contained solution.

Network security professionals have ignored port knocking as a solution in the past because initial implementations rely solely on correct port combinations to achieve access. The modern port knock system incorporates features such as secure cryptographic hashes, blacklists, whitelist and dynamic attack responses to further enhance system capabilities. Port knocking is an effective way to maximize server resources on a network facing the Internet.

Implementing the correct knocking port does not reduce overall system security. This is an effective measure that provides an additional layer of security with minimal server resource costs. At worst, systems such as port knocking introduce new security problems through poor implementation or expose ambivalent administrative attitudes through situations such as risk compensation.

src: i.ytimg.com

Disadvantages

The knocking port depends entirely on the toughness of the daemon that knocks on the port. The failure of the daemon will deny port access to all users and from a usability and security perspective, this is an undesirable point of failure. Application of modern knocking ports reduces this problem by providing process monitoring daemons that will restart failed or stuck port daemon processes.

Systems that do not use cryptographic hashes are vulnerable to IP address spoofing attacks. This attack, a Denial of service form, uses the port tap function to lock a known IP address (such as an administrator management station) by sending packets with a fake IP address to a random port. Static addressing servers are particularly vulnerable to this type of denial of service because their address is already known.

Port knocking can be a problem on networks that indicate high latency. Port knocking depends on the packet arriving in the correct order to access the functionality it designed. TCP/IP, on the other hand, is designed to work by assembling an order packet into a coherent message. In this situation, the only solution is for the client to continually re-send the correct order of packages until the sequence is recognized by the server.

Port knocking can not be used as a single authentication mechanism for the server. From a security perspective, a simple port tap depends on security through obscurity; the unintentional publication of the knock sequence concludes the compromise of all devices that support the sequence. Furthermore, the unencrypted port assignment is vulnerable to packet sniffing. Traces of networks of appropriate lengths can detect the correct sequence of taps from a single IP address and thus provide a mechanism for unauthorized access to the server and by extension, the attached network. Once compromised, log files on the device are the source of another valid tap string, which indicates another failure point. Solutions such as treating each sequence of beats as a one-time password defeat simplified administration purposes. In practice, the knocking port must be combined with other forms of authentication that are not vulnerable to replay or man-in-the-middle attacks for the entire system to be effective.

src: murusfirewall.com

References

How to secure your SSH & FTP servers - Port Knocking - YouTube