A minimal prototype Perl implementation of port knocking is presented. The implementation is comprised of a knockclient, responsible for originating the knock sequence, and a knockdæmon, responsible for monitoring the firewall log and manipulating the rules.
The complete client is shown in Listing 1. Lincoln Stein's Crypt::CBC module is used as proxy to Crypt::Blowfish to carry out encryption. The unencrypted knock sequence is comprised of seven values: four IP bytes, a port (limited to the range 0-255 in this implementation), a time flag and a checksum (mod 255). The time flag determines how the dæmon reacts: 0 to open the port, 255 to close the port and any other value in the 1-254 range to open the port and then close it after that many minutes. The knock on the firewall (IP=IPF) to open port ssh/22 on IP=IPC and then have the port close after 15 minutes would be executed by calling the client as follows:
knockclient -i IPC -r IPF -p 22 -t 15
The client packs the list of seven integers, performs the encryption and unpacks the string into unsigned chars (0-255). These values are then mapped onto a sequence of ports in the 745-1000 range.
The knockdæmon is shown in Listing 2. This application uses File::Tail to look for new lines in the firewall log file. Lines corresponding to connection attempts to ports 745-1000 are parsed for the remote IP and port number. An 8-element queue storing the ports is maintained for each incoming IP. When the queue size reaches 8, its contents are decrypted. If the decryption is successful and the checksum is correct, appropriate action is taken and the queue is cleared. If the decryption fails, the oldest queue port element is removed and the dæmon continues monitoring.
The firewall rules are manipulated by a system call to the ipchains binary, although the IPChains Perl module by Jonathan Schatz also may be used. If the port is to be closed, as indicated by the time flag, Jose Rodrigues' Schedule::At module is used to schedule the deletion of the rule using the at queue system.
Port knocking is a stealthy authentication system that employs closed ports to carry out identification of trusted users. This novel method provides the means of establishing a connection to an application running on a completely isolated system on which no ports initially are open.
"An Introduction to Using Linux as a Multipurpose Firewall", Jeff Regan, Linux Journal, Issue 71, March 2000.
|PostgreSQL, the NoSQL Database||Jan 29, 2015|
|HPC Cluster Grant Accepting Applications!||Jan 28, 2015|
|Sharing Admin Privileges for Many Hosts Securely||Jan 28, 2015|
|Red Hat Enterprise Linux 7.1 beta available on IBM Power Platform||Jan 23, 2015|
|Designing with Linux||Jan 22, 2015|
|Wondershaper—QOS in a Pinch||Jan 21, 2015|
- PostgreSQL, the NoSQL Database
- Sharing Admin Privileges for Many Hosts Securely
- HPC Cluster Grant Accepting Applications!
- Internet of Things Blows Away CES, and it May Be Hunting for YOU Next
- Wondershaper—QOS in a Pinch
- Designing with Linux
- Ideal Backups with zbackup
- January 2015 Issue of Linux Journal: Security
- Slow System? iotop Is Your Friend
- Non-Linux FOSS: Animation Made Easy