A minimal prototype Perl implementation of port knocking is presented. The implementation is comprised of a knockclient, responsible for originating the knock sequence, and a knockdæmon, responsible for monitoring the firewall log and manipulating the rules.
The complete client is shown in Listing 1. Lincoln Stein's Crypt::CBC module is used as proxy to Crypt::Blowfish to carry out encryption. The unencrypted knock sequence is comprised of seven values: four IP bytes, a port (limited to the range 0-255 in this implementation), a time flag and a checksum (mod 255). The time flag determines how the dæmon reacts: 0 to open the port, 255 to close the port and any other value in the 1-254 range to open the port and then close it after that many minutes. The knock on the firewall (IP=IPF) to open port ssh/22 on IP=IPC and then have the port close after 15 minutes would be executed by calling the client as follows:
knockclient -i IPC -r IPF -p 22 -t 15
The client packs the list of seven integers, performs the encryption and unpacks the string into unsigned chars (0-255). These values are then mapped onto a sequence of ports in the 745-1000 range.
The knockdæmon is shown in Listing 2. This application uses File::Tail to look for new lines in the firewall log file. Lines corresponding to connection attempts to ports 745-1000 are parsed for the remote IP and port number. An 8-element queue storing the ports is maintained for each incoming IP. When the queue size reaches 8, its contents are decrypted. If the decryption is successful and the checksum is correct, appropriate action is taken and the queue is cleared. If the decryption fails, the oldest queue port element is removed and the dæmon continues monitoring.
The firewall rules are manipulated by a system call to the ipchains binary, although the IPChains Perl module by Jonathan Schatz also may be used. If the port is to be closed, as indicated by the time flag, Jose Rodrigues' Schedule::At module is used to schedule the deletion of the rule using the at queue system.
Port knocking is a stealthy authentication system that employs closed ports to carry out identification of trusted users. This novel method provides the means of establishing a connection to an application running on a completely isolated system on which no ports initially are open.
"An Introduction to Using Linux as a Multipurpose Firewall", Jeff Regan, Linux Journal, Issue 71, March 2000.
- Readers' Choice Awards 2013
- A Plexible Pi
- Linux Kernel News - November 2013
- Advanced Hard Drive Caching Techniques
- Sublime Text: One Editor to Rule Them All?
- Mars Needs Women
- Raspberry Pi: the Perfect Home Server
- Tech Tip: Really Simple HTTP Server with Python
- December 2013 Issue of Linux Journal: Readers' Choice
- RSS Feeds
- rilakkuma onesie
2 hours 14 min ago
- flying squirrel onesie
2 hours 16 min ago
- animal onesies for adults
2 hours 18 min ago
- animal onesies
2 hours 20 min ago
- stitch onesie
2 hours 20 min ago
- totoro onesie
2 hours 22 min ago
- dinosaur onesie
2 hours 26 min ago
- pikachu onesie
2 hours 30 min ago
- While copy.com is nice, it's
7 hours 32 min ago
- Evangelist/Advocate - 5th place - Dedoimedo
9 hours 23 min ago