Many, many innovations come from the Linux and Unix world. Few are more intriguing to me than port knocking. As a global security
plug-in to protect services, it has a lot going for it and few downsides. However, for one reason or another, it suffers from
lack of use and understanding. A lot of administrators may have heard of it, but few know how to implement it. Even fewer
have used it.
Port knocking works on the concept that users wishing to attach to a network service must initiate a predetermined sequence
of port connections or send a unique string of bytes before the remote client can connect to the eventual service. In its
most basic form, the remote user’s client software must first connect to one or more ports before connecting to the final
destination port.
For example, suppose the remote client wants to connect to an SSH server. The administrator configures the port-knocking requirements
ahead of time, requiring that connecting remote clients first connect to ports 3400, 4000, and 9887 before connecting to the
final destination port, 22. The administrator tells all legitimate clients the correct “combination” to connect; malicious
hackers wishing to connect to the SSH service will be denied access without the combination. Port knocking will foil even
port-scanning and banner-grabbing enthusiasts.
Because any combination of ports and transport protocols can be used, the number of possible sequences that an attacker would
have to guess is high. Even if the hacker knew only three port knocks were involved, as in the very simple example above,
with 64,000 possible TCP, UDP, and ICMP (Internet Control Message Protocol) ports to choose from, the resulting set of possible
combinations for the hacker to try runs into the millions. Port scanners will be frustrated because port knocking uses closed
ports to do the listening (more on this below).
The biggest advantage of all is that port knocking is platform-, service-, and application-independent: Any OS with the correct
client and server software can take advantage of its protection. Although port knocking is mainly a Linux/Unix implementation,
there are Windows tools that can do the same thing. And similar to IPSec and other protective mechanisms, none of the involved
services or applications has to be port-knocking-aware.
Port-knocking server software works by monitoring the firewall log and looking for connections to closed ports, or by monitoring
the IP stack. The former method requires that all denied connection attempts be written quickly to a firewall log, and the
port-knocking service (daemon) monitors and correlates legitimate port-knocking combinations. For authenticated knocking combinations,
the port-knocking server service then tells the firewall to open the final requested port for just the legitimate port-knocking
client -- usually tracked by IP address.
More advanced implementations of port knocking work at the IP stack and either listen and record to connections to closed
ports, or use a more sophisticated mechanism. Some implementations look for a specific series of bytes within the first connection
attempt. These bytes can even be “hidden” within a simple ICMP echo request ping. Even stronger port-knocking negotiation
methods involve encryption or asymmetric authentication.
Port knocking can also serve as an extra layer of security to protect high-risk remote management services, such as SSH and
RDP (Remote Desktop Protocol). Unfortunately, port knocking has been used by more than a few rootkit Trojans as their hacker
creators attempt to keep control of their own malicious creations.
Critics often point to the fact that eavesdropping hackers might be able to capture and replay the successful port-knocking
sequence or series of bytes. Although this might be true with the basic implementations, attacks such as these would be squashed
by using more sophisticated authentication methods or minimized by using secondary hard-coded allowed IP addresses such as
TCP wrappers.
If a hacker does manage to glean your combination, the worst-case scenario is that the intruder bypasses the port-knocking
protection and now has to face your normal service security measures -- log-on password prompting, and so on. As far as I
can tell, the use of port knocking can only strengthen any defense-in-depth strategy and does nothing to hurt it.
I wish Windows had port-knocking mechanisms built in by default. It would be a nice complement to Microsoft’s marketplace-tested
IPSec and Kerberos implementations. The Linux/Unix world has a plethora of port knocking implementations to choose from, none
of which requires incredible expertise to configure or use.
For more information on port knocking, visit www.portknocking.org or en.wikipedia.org/wiki/Port_knocking. For configuration detail from one implementation example, check out gentoo-wiki.com/HOWTO_Port_Knocking.
An excellent collection of port-knocking software and utilities can be found at www.portknocking.org/view/implementations, and another Windows-based port-knocking server and client can be found at www.security.org.sg/code/portknock1.html.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
