kevdog
May 30th, 2008, 01:38 AM
Announcements
- FWKNOP version 1.9.7 released 8-25-2008. Changes here as follows: http://trac.cipherdyne.org/trac/fwknop/browser/fwknop/tags/fwknop-1.9.7/ChangeLog
- FWKNOP version 1.9.6 released 7-19-2008. Changes/New Features will be updated once Change List is available. http://trac.cipherdyne.org/trac/fwknop/browser/fwknop/tags/fwknop-1.9.6/ChangeLog
- FWKNOP version 1.9.5 (server and client versions) released 6-8-2008. Minimal increased functionality with this release. Updates various perl libraries. Changes documented here: http://trac.cipherdyne.org/trac/fwknop/browser/fwknop/tags/fwknop-1.9.5/ChangeLog
Source code: http://www.cipherdyne.org/fwknop/download/fwknop-1.9.5.tar.gz
- FWKNOP version 1.9.4 (server and client versions) released 6-1-2008. Two randomization port techniques were added for the outgoing client SPA request to allow for use of a random UPD port. Additional details on use of these advanced techniques found: http://trac.cipherdyne.org/trac/fwknop/browser/fwknop/tags/fwknop-1.9.4/ChangeLog
Tested Platforms
Server Installations
Ubuntu, Arch
Client Installations
Ubuntu, Arch, Cygwin (Windows)
I. Overview of Port Knocking
Port knocking is a means of host-host communication which information flows through closed ports. Notice this remarkably differs from most other form of communications in which a listening daemon is connected to an open port, which is accessible to the outside world. With a Port Knocker daemon, since communication takes places through closed ports, the listening Port Knocker daemon is undetectable to exploitative port scanner utilities.
Although the exact implementation of each port knocking process differs between programs, the port knocking process may be thought of in general terms as:
1. A client sends a Port Knocking packet or "combination code -- such as a combination code used to unlock a padlock" to the listening daemon. In many cases this "combination code" can be encrypted using a symmetric cipher, or can be encrypted utilizing asymmetric techniques such as those employed in GnuPG with the use of symmetric ciphers and hashes.
2. A monitoring daemon on the server detects the Port Knocking packet or "combination code".
3. Based on the Port Knocking implementation the Port Knocking "combination code" unlocks a process on the server. In many cases the "combination code" acts to directly modify the servers firewall to open up a listening port on the server -- such as enabling port 22 providing for further communication through the OpenSSH protocol. In other cases an executable program is directly run on the monitoring server.
4. In all cases, there is no delivery confirmation of the received packet from the monitoring daemon back to the client. Communication is performed stealthly.
The complexity of the Port Knocking sequence or "lock combination" can vary widely. It could be as simple as a three-number unencrypted combination such as TCP port 1000, TCP port 2000, UPD port 3000. In other applications, the combination could be encrypted and contain confirmation hashes, time-based limits to when the knock sequence expires, specific IP address limitations, or specific executable commands or code that would be run on the server upon delivery of the packet. Also how the listening daemon actually detects the "knock sequence" -- whether through monitoring of the firewall logs, or through use of a packet capture utility such as PCAP (http://en.wikipedia.org/wiki/Pcap), varies among the actual Port Knocking implementation.
Historically Port Knocking processes have been maliciously implemented in rootkits and trojans horses, and have been involved in mass-scale DNS attacks. Based on the history of port-knocking, the wide use of Port Knocker utilities is a matter of controversy among security experts.
There are two however well known publicized benefits of Port Knocking utilities when utilized in combination of firewall IP table modification. They ideally would protect provide and additional layer of security for other listening processes (such as the OpenSSH server) from zero-day and unpatched code vulnerabilities. This is particularly applicable given the recent discovery ( 5-13-2008 ) of the OpenSSH exploit contained in Debian/Ubuntu distributions. Although this exploit has now been corrected, as a result of incorrect modification of the OpenSSH psuedo-random number generator algorithm, Debian/Ubuntu systems were vulnerable for well over 1 year. If a port knocker utility would have been in place protecting the OpenSSH server process, it is likely that exploitation of this vulnerability would have been minimized.
References:
Port Knocking Background
http://www.portknocking.org/
http://en.wikipedia.org/wiki/Port_knocking
Debian/Ubuntu OpenSSH vulnerabilty:
Please note all default Ubuntu Feisty,Gutsy,Hardy and Intrepid installations are considered to be at risk
http://lists.debian.org/debian-security-announce/2008/msg00152.html
http://www.ubuntu.com/usn/usn-612-1
http://ubuntuforums.org/showthread.php?t=793517
Other References:
Pcap - http://en.wikipedia.org/wiki/Pcap
Controversy with Use of Port Knockers as Discussed on Ubuntu Forums: http://ph.ubuntuforums.com/showthread.php?t=758666
II. Installation of the FWKNOP Port Knocking Application
FWKNOP Port Knocking Implementation
FWKNOP (FireWall KNock OPerator) - a specific port knocking application that implements Single Packet Authorization and allows for encrypted packet communication. (http://www.cipherdyne.org/fwknop/). There are other Port Knocking implementations (http://www.portknocking.org/view/implementations), however many are proof-of-concept designs, or are not being actively maintained. FWKNOP is under current active development. Michael Rash -- the author of the implementation -- has published several papers and books on the subject of Port Knocking and use of Linux Firewalls. In addition he is very responsive to user questions and concerns in regards to the FWKNOP implementation. In addition the FWKNOP daemon can be installed on Linux/BSD (Mac OS X) platforms, and clients are available for Linux, BSD (Mac), and Windows(through cygwin or utilizing a native GUI client).
Installation of FWKNOP Daemon (Server) on Ubuntu
Install Dependencies
sudo aptitude install build-essential linux-headers-$(uname -r) libpcap-dev nmap
Install Additional Perl Dependencies for FWKNOP ***Note: cpan method fails for Net::PCAP installation
cd ~
mkdir Source
cd Source
mkdir fwknop
cd fwknop
wget http://search.cpan.org/CPAN/authors/id/S/SA/SAPER/Net-Pcap-0.16.tar.gz
tar zxvf Net-Pcap-0.16.tar.gz
cd Net-Pcap-0.16.tar.gz
perl ./Makefile.PL
make
sudo make install
Download and install FWKNOP
cd ~
cd Source/fwknop
wget http://www.cipherdyne.org/fwknop/download/fwknop-1.9.3.tar.bz2
tar -jxvf fwknop-1.9.3.tar.bz2
cd fwknop-1.9.3
sudo ./install.pl (Please answer questions with install script using pcap library)
For users using versions <= 1.9.3 (Fixes run-level bug at startup)
sudo update-rc.d -f fwknop remove
sudo update-rc.d fwknop defaults 99
Verifying the Installation Process
(This is where it gets down and dirty!!)
Included in the FWKNOP sources is a test installation script to verify the FWKNOP installation and server capabilities.
By default, this process assumes there is a mail server executable located at /bin/mail. By default the fwknop server is designed to mail the server administrator notification everytime the fwknop process executes.
The test installation script produces many errors if an executable mail transfer agent (MTA) does not exist at /bin/mail.
--If you have a MTA (mail transfer agent) and would like to utilize this notification feature, I would recommend creating a symbolic link from /bin/mail to your preferred mailing program. This would be performed with the following code:
sudo ln -s <actual MTA/executable> /bin/mail
--If you do not have a MTA (mail transfer agent) and/or do not want to implement this notification feature, create a temporary link (this will be removed later) to allow the test program to complete
sudo ln -s /bin/echo /bin/mail
Now attempt to run the FWKNOP installation test to verify server integrity:
cd ~/Source/fwknop/fwknop-1.9.3/test
sudo perl fwknop_test.pl
Result of my test script appeared as the following:
$ sudo ~/Source/fwknop/fwknop-1.9.3/test/fwknop_test.pl
[+] ==> Running fwknop test suite; firewall: iptables <==
(Setup) perl program compilation....................................pas s (0)
(Setup) C program compilation....................................... pass (1)
(Setup) Command line argument processing............................pass (2)
(Setup) List iptables rules.........................................pass (3)
(Setup) System information and fwknop installation specifics........pass (4)
(Setup) Stopping any running fwknopd processes......................pass (5)
(Setup) Flushing all fwknopd iptables rules.........................pass (6)
(Setup) Deleting all fwknopd iptables chains........................pass (7)
(Basic communications) Generating SPA access packet.................pass (8)
(Basic communications) Sniffing SPA access packet...................pass (9)
(Basic communications) Verifying SPA access packet format...........pass (10)
(Basic communications) Firewall access rules exist..................pass (11)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(Basic communications) Firewall access rules removed................pass (12)
(Basic communications) Stopping all running fwknopd processes.......pass (13)
(Replay attacks, broken data) Rijndael key validity.................pass (14)
(Replay attacks, broken data) Replay detection - all digests........pass (15)
(Replay attacks, broken data) Replay detection - SHA256.............pass (16)
(Replay attacks, broken data) Replay detection - SHA1...............pass (17)
(Replay attacks, broken data) Replay detection - MD5................pass (18)
(Replay attacks, broken data) 100 random packets....................pass (19)
(Replay attacks, broken data) Truncated SPA packet..................pass (20)
(Replay attacks, broken data) Sniffing truncated SPA packet.........pass (21)
(Replay attacks, broken data) Firewall rules do not exist...........pass (22)
(Replay attacks, broken data) SPA packet with bogus key.............pass (23)
(Replay attacks, broken data) Sniffing broken SPA packet............pass (24)
(Replay attacks, broken data) Firewall rules do not exist...........pass (25)
(Internal digest alg mis-match) Generating SPA packet...............pass (26)
(Internal digest alg mis-match) Sniffing SPA packet.................pass (27)
(Internal digest alg mis-match) Verifying SPA packet format.........pass (28)
(Internal digest alg mis-match) Firewall access rules exist.........pass (29)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(Internal digest alg mis-match) Firewall access rules removed.......pass (30)
(Internal digest alg mis-match) Stopping all fwknopd processes......pass (31)
(Client timeout) Generating SPA access packet.......................pass (32)
(Client timeout) Sniffing SPA access packet.........................pass (33)
(Client timeout) Verifying SPA access packet format.................pass (34)
(Client timeout) Firewall access rules exist........................pass (35)
(Sleeping for 10 seconds for firewall rule timeout)
10 9 8 7 6 5 4 3 2 1 0
(Client timeout) Firewall access rules removed......................pass (36)
(Client timeout) Stopping all running fwknopd processes.............pass (37)
(Append data) Data appended to SPA packet...........................pass (38)
(Append data) Sniffing appended SPA packet..........................pass (39)
(Append data) Firewall rules exist..................................pass (40)
(Rijndael Salted__ compatibility) Generating SPA packet.............pass (41)
(Rijndael Salted__ compatibility) Sniffing SPA packet...............pass (42)
(Rijndael Salted__ compatibility) Verifying SPA format..............pass (43)
(Rijndael Salted__ compatibility) Rules exist.......................pass (44)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(Rijndael Salted__ compatibility) Rules removed.....................pass (45)
(Rijndael Salted__ compatibility) Stopping fwknopd..................pass (46)
(Non-promisc capture) Generating SPA access packet..................pass (47)
(Non-promisc capture) Sniffing SPA access packet....................pass (48)
(Non-promisc capture) Verifying sniffed SPA access packet...........pass (49)
(Non-promisc capture) Firewall access rules exist...................pass (50)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(Non-promisc capture) Firewall access rules removed.................pass (51)
(Non-promisc capture) Stopping all fwknopd processes................pass (52)
(SPA aging) Generating SPA access packet............................pass (53)
(SPA aging) Expired SPA packet detection............................pass (54)
(SPA aging) Making sure firewall rules do not exist.................pass (55)
(Require SRC) Generating SPA packet with 0.0.0.0 src addr...........pass (56)
(Require SRC) Sniffing packet with 0.0.0.0 src addr.................pass (57)
(Require SRC) Making sure firewall rules do not exist...............pass (58)
(Require user) Generating SPA packet with unauthorized user.........pass (59)
(Require user) Unauthorized user detection..........................pass (60)
(Require user) Making sure firewall rules do not exist..............pass (61)
(Permit ports) Generating unauthorized port access request..........pass (62)
(Permit ports) Unauthorized port access detection...................pass (63)
(Permit ports) Making sure firewall rules do not exist..............pass (64)
(Bogus src) Generating SPA packet from non-matching src.............pass (65)
(Bogus src) Verifying SPA access packet format......................pass (66)
(Bogus src) Non-matching SOURCE block...............................pass (67)
(Bogus src) Making sure firewall rules do not exist.................pass (68)
(Excluded src) Generating SPA packet from non-matching src..........pass (69)
(Excluded src) Verifying SPA access packet format...................pass (70)
(Excluded src) Non-matching SOURCE block............................pass (71)
(Excluded src) Making sure firewall rules do not exist..............pass (72)
(Blacklist src) Generating blacklisted SPA packet...................pass (73)
(Blacklist src) Verifying SPA access packet format..................pass (74)
(Blacklist src) Sniffing SPA packet.................................pass (75)
(Blacklist src) Making sure firewall rules do not exist.............pass (76)
(Multi-SOURCE) Generating SPA access packet.........................pass (77)
(Multi-SOURCE) Sniffing SPA access packet...........................pass (78)
(Multi-SOURCE) Verifying SPA access packet format...................pass (79)
(Multi-SOURCE) Firewall access rules exist..........................pass (80)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(Multi-SOURCE) Firewall access rules removed........................pass (81)
(Multi-SOURCE) Stopping running fwknopd processes...................pass (82)
(GnuPG) Generating SPA access packet................................pass (83)
(GnuPG) Sniffing SPA access packet to acquire access................pass (84)
(GnuPG) Verifying sniffed SPA access packet format..................pass (85)
(GnuPG) Firewall access rules exist.................................pass (86)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(GnuPG) Firewall access rules removed...............................pass (87)
(GnuPG) Stopping all running fwknopd processes......................pass (88)
(Command execution) Generating SPA command packet...................pass (89)
(Command execution) Sniffing SPA command packet and executing.......pass (90)
(Command execution) Verifying SPA command packet format.............pass (91)
(Command execution) Making sure firewall rules do not exist.........pass (92)
(Command execution) Non-matching regex command packet...............pass (93)
(Command execution) SPA command packet filtered.....................pass (94)
(Command execution) Making sure firewall rules do not exist.........pass (95)
(FORWARD chain) Stopping all running fwknopd processes..............pass (96)
(FORWARD chain) Generating FORWARD chain access packet..............pass (97)
(FORWARD chain) FORWARD request detection...........................pass (98)
(FORWARD chain) FORWARD and DNAT access rules.......................pass (99)
(FORWARD chain) Verifying SPA FORWARD access packet format..........pass (100)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(FORWARD chain) Making sure firewall rules are removed..............pass (101)
(FORWARD chain) Generating FORWARD access SPA packet................pass (102)
(FORWARD chain) Verifying SPA FORWARD access packet format..........pass (103)
(FORWARD chain) FORWARD access to restricted IP.....................pass (104)
(FORWARD chain) Firewall rules do not exist.........................pass (105)
(OUTPUT chain) Stopping all running fwknopd processes...............pass (106)
(OUTPUT chain) Generating OUTPUT chain access packet................pass (107)
(OUTPUT chain) OUTPUT access rules..................................pass (108)
(OUTPUT chain) Verifying OUTPUT access packet format................pass (109)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(OUTPUT chain) Making sure firewall rules are removed...............pass (110)
(Filesystem tcpdump capture) Sniffing over lo.......................pass (111)
(Filesystem tcpdump capture) Stopping fwknopd processes.............pass (112)
(Filesystem tcpdump capture) Generating SPA packet..................pass (113)
(Filesystem tcpdump capture) SPA communications via file............pass (114)
(Filesystem tcpdump capture) Firewall access rules exist............pass (115)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(Filesystem tcpdump capture) Rules removed..........................pass (116)
Stopping all running fwknopd processes..............................pass (117)
Deleting all fwknopd iptables chains................................pass (118)
Verifying SPA digest file format....................................pass (119)
Collecting fwknop syslog messages...................................pass (120)
[+] ==> Passed 121/121 tests against fwknop. <==
[+] This console output has been stored in: test.log
Please note that it is not necessary to pass all steps. I still had one error at the conclusion of the test process (but still have a functioning server). If you receive any fails to the process above, further information regarding each particular step can be found in:
~/Source/fwknop/fwknop-1.9.3/test/output/std.stdout.<test_number>
cd ~/Source/fwknop/fwknop-1.9.3/test/output/std.stderr.<test_number>
These files are simple text files. I would recommend reading each file and post the particular debugging message in this forum if you are unable to troubleshoot the source of the error yourself.
III. Configuration of the FWKNOP Port Knocking Daemon
There are only two actual configuration files (fwknop.conf, access.conf) for the FWKNOP daemon process. These files are located in /etc/fwknop. Access to this directory can only be done as root. To access these files do the following:
sudo su
cd /etc/fwknop
gksu gedit <filename> (examples: gsku gedit fwknop.conf, gksu gedit access.conf)
exit
Modification of the /etc/fwknop/fwknop.conf file (Optional):
1. Changed ALERTING_METHODS from ALL -> noemail
---Rationale for doing this: I do not have a MTA (mail transfer agent) installed on my machine and would not like to receive email alerts everytime port knocker utility is accessed
2. Changed shCmd from /bin/sh -> /bin/bash
Modification of the /etc/fwknop/access.conf file (Mandatory)
The access.conf file is the heart of the Port Knocking Daemon. Options in this file control who can send packets, what incoming ports to open in the firewall after verification of the port knock, the duration of time to keep the port open for incoming connections, the type of encryption method expected for the port knock (symmetric vs asymmetric), and commands are to be execute on the fwknop daemon server. Example configurations are given in the file.
IV. Putting it All Together -- An Illustrative Example
The following example will demonstrate setup of a FWKNOP daemon server that allows a port knocking sequence to temporarily open the ssh incoming port (port 22) for 30 seconds, to allow an incoming ssh connection. For this first example I will assume the Single Packet Authentication (SPA) Port Knocking Sequence will be encoded using Rijndael encryption.
Requirements for Setup
1. Two separate computers - one acting as the fwknop/ssh client, and the other acting as the fwnkop/ssh daemon server. The client must have a valid ssh account on the server.
2. A running OpenSSH daemon on the server
3. An active Iptables Firewall on the server(which is turned off by default).
4. A port scanner on the client machine to verify opening an closure of the incoming port on the server (Port 22). Nmap will be our chosen port scanner.
5. Verification Steps to Ensure Everything is Working as Expected (Mostly applicable to server).
Client and Server Setup
(A Full explanation for the OpenSSH server setup may be found here: https://help.ubuntu.com/community/AdvancedOpenSSH)
Client Machine
OpenSSH
Client Operating System Platform:
Ubuntu (Linux Machine) or Mac OS X - OpenSSH client installed by default at time of installation.
Windows - OpenSSH client provided by installation of either cygwin (http://www.cygwin.com/) or putty(http://www.chiark.greenend.org.uk/~sgtatham/putty/).
FWKNOP
Client Operating System Platform:
Ubuntu (Linux) / MAC OSX - Follow instructions to install server as above. Server installation will automatically install a command line client program.
Windows - GUI client found here: http://www.cipherdyne.org/fwknop/download/. Additionally a command line cygwin client is also available by contacting the FWKNOP author.
Server Machine: Platform Ubuntu Linux
OpenSSH Server Installation
sudo aptitude install openssh-server
The server can be further enhanced to allow key-based authentication and disallow password based authentication. This would allow for the most secure authentication mechanism. If using key based authentication, I would recommend at least 2048 or 4096 byte rsa keys (1024 byte keys are the default).
FWKNOP Server Installation
Please see steps mentioned previously in this guide.
A Listening OpenSSH Server
By default the OpenSSH server listens on port 22. It is recommended this default port number be changed for security reasons via alteration of the /etc/ssh/sshd_config, however this example will assume port 22.
The OpenSSH server can be stopped and started via the following commands:
sudo /etc/init.d/ssh stop
sudo /etc/init.d/ssh start
Confirmation that the ssh daemon is listening is provided by netstat command providing output similar to:
$ sudo netstat -anlp | grep sshd
tcp6 0 0 :::22 :::* LISTEN 4396/sshd
The above shows a sshd listening process on port 22.
Please confirm that an ssh connection from client to server can be completed at this stage:
Client Machine:
ssh <user>@<IP_address_server>
Example
$ ssh sue@192.168.1.102
Ubuntu 8.04
Linux sudarshan 2.6.24-16-generic #1 SMP Thu Apr 10 13:23:42 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Thu May 29 22:24:58 2008 from 192.168.1.101
Linux sudarshan 2.6.24-16-generic #1 SMP Thu Apr 10 13:23:42 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
sue@sudarshan:~$
IPTables Firewall Setup on Server Machine
***If you already have an existing Iptables firewall established, please save the old configuration via:
sudo iptables-save -c > /etc/iptables-save
Later the iptables can be restored if needed:
cat /etc/iptables-save | sudo iptables-restore -c
****
Flush/Reset the iptables rule set to allow all ports:
sudo /sbin/iptables -F
sudo /sbin/iptables -F -t nat
sudo /sbin/iptables -X
From the client machine verify the ssh port on the server is open and visible to the outside world (Example assuming 192.168.1.102 is the IP address of the server - change depending on your configuration):
$ nmap -p 22 192.168.1.102
Starting Nmap 4.62 ( http://nmap.org )
Interesting ports on 192.168.1.102:
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:40:96:AF:E3:0C (Cisco Systems)
Nmap done: 1 IP address (1 host up) scanned in 0.453 seconds
Note the result above demonstrates that port 22 is open on the server and the ssh service is listening.
Next establish some basic firewall rules (Note that this will close all incoming connections -- please be aware of this -- modify to your specific situation -- Please note that this is an extremely basic firewall blocking all incoming connections other than those already established. In a production environment you would want to actually want a more fully featured firewall ruleset, but would want the default ruleset for port 22 (or ssh port) to be set to DROP ):
sudo /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo /sbin/iptables -A INPUT -i ! lo -j DROP
Manually verify from the client that the server ssh port 22 is closed:
$ nmap -p 22 192.168.1.102
Starting Nmap 4.62 ( http://nmap.org )
Interesting ports on 192.168.1.102:
PORT STATE SERVICE
22/tcp filtered ssh
MAC Address: 00:40:96:AF:E3:0C (Cisco Systems)
Nmap done: 1 IP address (1 host up) scanned in 0.660 seconds
Notice the difference in the results of the two nmap port scans:
Open Port 22: 22/tcp open ssh
Closed Port 22: 22/tcp filtered ssh
Verification could also be completed attempting to make a successful ssh connection from client to server. With port 22 open, a connection should be established. With port 22 closed, an attempted connection should time out:
$ ssh sue@192.168.1.102
ssh: connect to host 192.168.1.102 port 22: Connection timed out
Port Scanner Setup on Client Machine
If following the instructions, the nmap port scanner utility should already be installed. If you have not installed nmap:
sudo aptitude install nmap
Using nmap please verify that port 22 on the server is currently closed (or filtered), since the fwknop daemon will later act to dynamically open the port:
$ nmap -p 22 192.168.1.102
Starting Nmap 4.62 ( http://nmap.org )
Interesting ports on 192.168.1.102:
PORT STATE SERVICE
22/tcp filtered ssh
MAC Address: 00:40:96:AF:E3:0C (Cisco Systems)
Nmap done: 1 IP address (1 host up) scanned in 0.675 seconds
Please also verify that the OpenSSH server is listening on port 22 on the server behind the firewall:
On server machine:
$ sudo netstat -anlp | grep sshd
tcp6 0 0 :::22 :::* LISTEN 4396/sshd
FWKNOP Daemon Setup on Server
Configuration of the server's FWKNOP access.conf file
For this example's purpose, we are going to consider the fwknop password = Ubuntu2008. This password will act as the shared secret key for the Rijndael symmetric cipher. When authenticating the password, the server will open port 22 for incoming connections for a maximum of 30 seconds to allow for an establishment of a ssh connection.
gksu gedit /etc/fwknop/access.conf &
At the conclusion of the examples and comments:
SOURCE: ANY;
OPEN_PORTS: tcp/22;
DATA_COLLECT_MODE: PCAP;
KEY: Ubuntu2008;
FW_ACCESS_TIMEOUT: 30;
**Additionally when using the Windows Client GUI I had to make the following modification to the server's /etc/fwknop/fwknop.conf. This may not be applicable to your situation.
ENABLE_SPA_PACKET_AGING N;
The fwknop daemon is usually stopped/stared using the following syntax:
sudo /etc/init.d/fwknop stop
sudo /etc/init.d/fwknop start
For this tutorial, the fwknop daemon will be run in debug mode to see the process occuring on the server. The server will be started in debug mode in the terminal and the output sent to the terminal:
cd ~/Source/fwknop/fwknop-1.9.3
sudo perl ./fwknopd --debug
To kill the server later, hit Cntl-C while in the command window.
Putting It All Together and Unlocking the Port
With the fwknop daemon running on the server, use the fwknop client to issue the port knock. For command line clients (Change IP address given your particular setup -- My setup 192.168.1.101=LAN IP address of client, 192.168.1.102=LAN IP address of Server), the fwknop command has the following syntax:
fwknop -A <protocol/port> -a <client IP address> -D <server IP address>
This is one example of how to use the client. Additional options, switches can be found here: http://www.cipherdyne.org/fwknop/docs/manpages/fwknop.html
$ fwknop -A tcp/22 -a 192.168.1.101 -D 192.168.1.102
[+] Starting fwknop client (SPA mode)...
[+] Enter an encryption key. This key must match a key in the file
/etc/fwknop/access.conf on the remote system.
Encryption Key:
[+] Building encrypted Single Packet Authorization (SPA) message...
[+] Packet fields:
Random data: 5817642240590499
Username: <username>
Timestamp: 1212123357
Version: 1.9.4-pre3
Type: 1 (access mode)
Access: 192.168.1.101,tcp/22
SHA256 digest: NvUBz8l+T76KPqOSwvLMJO1n6sNjTLjuScSz6IIp5m8
[+] Sending 182 byte message to 192.168.1.102 over udp/62201...
After performing this knocking sequence, a nmap port scan of the server should show the following (My setup 192.168.1.102=Server LAN IP address)
$ nmap -p 22 192.168.1.102
Starting Nmap 4.62 ( http://nmap.org )
Interesting ports on 192.168.1.102:
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:40:96:AF:E3:0C (Cisco Systems)
Nmap done: 1 IP address (1 host up) scanned in 0.407 seconds
However 30 seconds later the port scan shows the following:
$ nmap -p 22 192.168.1.102
Starting Nmap 4.62 ( http://nmap.org )
Interesting ports on 192.168.1.102:
PORT STATE SERVICE
22/tcp filtered ssh
MAC Address: 00:40:96:AF:E3:0C (Cisco Systems)
Nmap done: 1 IP address (1 host up) scanned in 0.678 seconds
Again if the port knock is re-issued, an attempted ssh connection should be successful.
For debugging purposes, the contents received by the server can be visualized in the command prompt debug window. Once the server is up and thoroughly tested, the /etc/init.d/fwkop file should be modified and the -debug parameter removed (similar to process shown above).
V. Summary
Again our example demonstrated use of a Rijndael Single-Packet-Authentication Encrypted Packet that altered the hosts Iptable firewall and allowed temporary access to the underlying SSH port. The nmap port scanner utility verified that the server port was closed under normal operation, however was visible after the port knock was authenticated for a 30 second interval.
If interested I can provide additional details how-to encrypt the packet using GPG asymmetrical encryption (http://ubuntuforums.org/showthread.php?t=687173, http://ubuntuforums.org/showthread.php?t=649466)
Additionally I did not include examples of executing a process on the remote server, however an example of how to do this would be included in the /etc/fwknop/access.conf file.
Comments and additions are welcome.
Removal of FWKNOP
Assuming directory structure used in the guide (Again if using version number other than 1.9.3 please alter according to your configuration):
cd ~/Source/fwknop/fwknop-1.9.3
sudo perl ./install.pl --uninstall
sudo update-rc.d -f fwknop remove
Addendum
- FWKNOP SPA (Single Packet Authentication) Raw Data Packet (What the encrypted packet actually looks like when sniffed):
Raw packet data (single line): +CqkFkQUcR/9N5pdkpid6bZPnMJ60l49WOXm4/cDEDkL8xyC5nnPdmMZYCrTXkTyxWO1IsvrW6wWdyIhrOhFhOz0 kEknCuHl2Iiz4rs0ZOUG4etcPczuspp1FumPXbtdmnM7KmEAbT yFuGvYCWFMwZfoXjlhI0E75q3Yl2GAi974kfJi2hbI3L
- Contents of Encrypted Packet
Packet fields:
Random data: 7334473082601197
Username: <username>
Remote time: 1212209666
Remote ver: 1.9.4-pre3
Action type: 1 (SPA_ACCESS_MODE)
Action: 192.168.1.101,tcp/22
SHA256 digest: OmsuEDCXgYYzZ7WDnf+Jl2mt7EVYz2ixoIlLaCl2qmk
Server Commands
sudo ps -A | grep fwknop <---Will show if fwknop daemon is up and running. If fwknopd process is not listed then need to start fwknop daemon manually (sudo /etc/init.d/fwknop start)
More Fully Featured Firewall Script
#!/bin/sh
#
IPTABLES=/sbin/iptables
### flush existing rules and set chain policy setting to DROP
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
### state tracking rules
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
### ACCEPT rules
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -j DROP
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 10/second -j ACCEPT
#Uncomment OutLines in RED if Logging is Required
### Create a LOGDROP chain to log dropped packets
#$IPTABLES -N LOGDROP
### Log Ruleset (Logs all packets not captured above, before dropping)
#Change the Following Parameters to Limit the amount of Logging
#LOGLIMIT="2/sec"
#LOGLIMITBURST="10"
#Log level may be one of the following: debug, info, notice, warning, warn, err, error, crit, alert, emerg, panic
#LOGLEVEL = debug
#$IPTABLES -A LOGDROP -i ! lo -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "TCP DROP: "
#$IPTABLES -A LOGDROP -i ! lo -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "UDP DROP: "
#$IPTABLES -A LOGDROP -i ! lo -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "ICMP DROP: "
#$IPTABLES -A LOGDROP -i ! lo -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level #$LOGLEVEL --log-prefix "IPTABLES UNKNOWN-IN: "
### Log All Dropped Packets
#$IPTABLES -A INPUT -j LOGDROP
exit
References:
Port Knocking Description and Links to Port Knock Utilities: http://www.portknocking.org/
Port Knocking Wiki: http://en.wikipedia.org/wiki/Port_knocking
FWKNOP: http://www.cipherdyne.org/fwknop/
Using GnuPG in conjunction with FWKNOP: http://cipherdyne.org/fwknop/docs/gpghowto.html
List of Various Port Knocking Implementations: http://www.portknocking.org/view/implementations
NMAP Port Scanner: http://nmap.org/
OpenSSH server setup on Ubuntu: https://help.ubuntu.com/community/AdvancedOpenSSH
GnuPG Advanced Concepts: http://ubuntuforums.org/showthread.php?t=687173
HowTo Compile GPG (version 1 and 2) from SVN with IDEA and Camellia Ciphers: http://ubuntuforums.org/showthread.php?t=687173http://ubuntuforums.org/showthread.php?t=649466
- FWKNOP version 1.9.7 released 8-25-2008. Changes here as follows: http://trac.cipherdyne.org/trac/fwknop/browser/fwknop/tags/fwknop-1.9.7/ChangeLog
- FWKNOP version 1.9.6 released 7-19-2008. Changes/New Features will be updated once Change List is available. http://trac.cipherdyne.org/trac/fwknop/browser/fwknop/tags/fwknop-1.9.6/ChangeLog
- FWKNOP version 1.9.5 (server and client versions) released 6-8-2008. Minimal increased functionality with this release. Updates various perl libraries. Changes documented here: http://trac.cipherdyne.org/trac/fwknop/browser/fwknop/tags/fwknop-1.9.5/ChangeLog
Source code: http://www.cipherdyne.org/fwknop/download/fwknop-1.9.5.tar.gz
- FWKNOP version 1.9.4 (server and client versions) released 6-1-2008. Two randomization port techniques were added for the outgoing client SPA request to allow for use of a random UPD port. Additional details on use of these advanced techniques found: http://trac.cipherdyne.org/trac/fwknop/browser/fwknop/tags/fwknop-1.9.4/ChangeLog
Tested Platforms
Server Installations
Ubuntu, Arch
Client Installations
Ubuntu, Arch, Cygwin (Windows)
I. Overview of Port Knocking
Port knocking is a means of host-host communication which information flows through closed ports. Notice this remarkably differs from most other form of communications in which a listening daemon is connected to an open port, which is accessible to the outside world. With a Port Knocker daemon, since communication takes places through closed ports, the listening Port Knocker daemon is undetectable to exploitative port scanner utilities.
Although the exact implementation of each port knocking process differs between programs, the port knocking process may be thought of in general terms as:
1. A client sends a Port Knocking packet or "combination code -- such as a combination code used to unlock a padlock" to the listening daemon. In many cases this "combination code" can be encrypted using a symmetric cipher, or can be encrypted utilizing asymmetric techniques such as those employed in GnuPG with the use of symmetric ciphers and hashes.
2. A monitoring daemon on the server detects the Port Knocking packet or "combination code".
3. Based on the Port Knocking implementation the Port Knocking "combination code" unlocks a process on the server. In many cases the "combination code" acts to directly modify the servers firewall to open up a listening port on the server -- such as enabling port 22 providing for further communication through the OpenSSH protocol. In other cases an executable program is directly run on the monitoring server.
4. In all cases, there is no delivery confirmation of the received packet from the monitoring daemon back to the client. Communication is performed stealthly.
The complexity of the Port Knocking sequence or "lock combination" can vary widely. It could be as simple as a three-number unencrypted combination such as TCP port 1000, TCP port 2000, UPD port 3000. In other applications, the combination could be encrypted and contain confirmation hashes, time-based limits to when the knock sequence expires, specific IP address limitations, or specific executable commands or code that would be run on the server upon delivery of the packet. Also how the listening daemon actually detects the "knock sequence" -- whether through monitoring of the firewall logs, or through use of a packet capture utility such as PCAP (http://en.wikipedia.org/wiki/Pcap), varies among the actual Port Knocking implementation.
Historically Port Knocking processes have been maliciously implemented in rootkits and trojans horses, and have been involved in mass-scale DNS attacks. Based on the history of port-knocking, the wide use of Port Knocker utilities is a matter of controversy among security experts.
There are two however well known publicized benefits of Port Knocking utilities when utilized in combination of firewall IP table modification. They ideally would protect provide and additional layer of security for other listening processes (such as the OpenSSH server) from zero-day and unpatched code vulnerabilities. This is particularly applicable given the recent discovery ( 5-13-2008 ) of the OpenSSH exploit contained in Debian/Ubuntu distributions. Although this exploit has now been corrected, as a result of incorrect modification of the OpenSSH psuedo-random number generator algorithm, Debian/Ubuntu systems were vulnerable for well over 1 year. If a port knocker utility would have been in place protecting the OpenSSH server process, it is likely that exploitation of this vulnerability would have been minimized.
References:
Port Knocking Background
http://www.portknocking.org/
http://en.wikipedia.org/wiki/Port_knocking
Debian/Ubuntu OpenSSH vulnerabilty:
Please note all default Ubuntu Feisty,Gutsy,Hardy and Intrepid installations are considered to be at risk
http://lists.debian.org/debian-security-announce/2008/msg00152.html
http://www.ubuntu.com/usn/usn-612-1
http://ubuntuforums.org/showthread.php?t=793517
Other References:
Pcap - http://en.wikipedia.org/wiki/Pcap
Controversy with Use of Port Knockers as Discussed on Ubuntu Forums: http://ph.ubuntuforums.com/showthread.php?t=758666
II. Installation of the FWKNOP Port Knocking Application
FWKNOP Port Knocking Implementation
FWKNOP (FireWall KNock OPerator) - a specific port knocking application that implements Single Packet Authorization and allows for encrypted packet communication. (http://www.cipherdyne.org/fwknop/). There are other Port Knocking implementations (http://www.portknocking.org/view/implementations), however many are proof-of-concept designs, or are not being actively maintained. FWKNOP is under current active development. Michael Rash -- the author of the implementation -- has published several papers and books on the subject of Port Knocking and use of Linux Firewalls. In addition he is very responsive to user questions and concerns in regards to the FWKNOP implementation. In addition the FWKNOP daemon can be installed on Linux/BSD (Mac OS X) platforms, and clients are available for Linux, BSD (Mac), and Windows(through cygwin or utilizing a native GUI client).
Installation of FWKNOP Daemon (Server) on Ubuntu
Install Dependencies
sudo aptitude install build-essential linux-headers-$(uname -r) libpcap-dev nmap
Install Additional Perl Dependencies for FWKNOP ***Note: cpan method fails for Net::PCAP installation
cd ~
mkdir Source
cd Source
mkdir fwknop
cd fwknop
wget http://search.cpan.org/CPAN/authors/id/S/SA/SAPER/Net-Pcap-0.16.tar.gz
tar zxvf Net-Pcap-0.16.tar.gz
cd Net-Pcap-0.16.tar.gz
perl ./Makefile.PL
make
sudo make install
Download and install FWKNOP
cd ~
cd Source/fwknop
wget http://www.cipherdyne.org/fwknop/download/fwknop-1.9.3.tar.bz2
tar -jxvf fwknop-1.9.3.tar.bz2
cd fwknop-1.9.3
sudo ./install.pl (Please answer questions with install script using pcap library)
For users using versions <= 1.9.3 (Fixes run-level bug at startup)
sudo update-rc.d -f fwknop remove
sudo update-rc.d fwknop defaults 99
Verifying the Installation Process
(This is where it gets down and dirty!!)
Included in the FWKNOP sources is a test installation script to verify the FWKNOP installation and server capabilities.
By default, this process assumes there is a mail server executable located at /bin/mail. By default the fwknop server is designed to mail the server administrator notification everytime the fwknop process executes.
The test installation script produces many errors if an executable mail transfer agent (MTA) does not exist at /bin/mail.
--If you have a MTA (mail transfer agent) and would like to utilize this notification feature, I would recommend creating a symbolic link from /bin/mail to your preferred mailing program. This would be performed with the following code:
sudo ln -s <actual MTA/executable> /bin/mail
--If you do not have a MTA (mail transfer agent) and/or do not want to implement this notification feature, create a temporary link (this will be removed later) to allow the test program to complete
sudo ln -s /bin/echo /bin/mail
Now attempt to run the FWKNOP installation test to verify server integrity:
cd ~/Source/fwknop/fwknop-1.9.3/test
sudo perl fwknop_test.pl
Result of my test script appeared as the following:
$ sudo ~/Source/fwknop/fwknop-1.9.3/test/fwknop_test.pl
[+] ==> Running fwknop test suite; firewall: iptables <==
(Setup) perl program compilation....................................pas s (0)
(Setup) C program compilation....................................... pass (1)
(Setup) Command line argument processing............................pass (2)
(Setup) List iptables rules.........................................pass (3)
(Setup) System information and fwknop installation specifics........pass (4)
(Setup) Stopping any running fwknopd processes......................pass (5)
(Setup) Flushing all fwknopd iptables rules.........................pass (6)
(Setup) Deleting all fwknopd iptables chains........................pass (7)
(Basic communications) Generating SPA access packet.................pass (8)
(Basic communications) Sniffing SPA access packet...................pass (9)
(Basic communications) Verifying SPA access packet format...........pass (10)
(Basic communications) Firewall access rules exist..................pass (11)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(Basic communications) Firewall access rules removed................pass (12)
(Basic communications) Stopping all running fwknopd processes.......pass (13)
(Replay attacks, broken data) Rijndael key validity.................pass (14)
(Replay attacks, broken data) Replay detection - all digests........pass (15)
(Replay attacks, broken data) Replay detection - SHA256.............pass (16)
(Replay attacks, broken data) Replay detection - SHA1...............pass (17)
(Replay attacks, broken data) Replay detection - MD5................pass (18)
(Replay attacks, broken data) 100 random packets....................pass (19)
(Replay attacks, broken data) Truncated SPA packet..................pass (20)
(Replay attacks, broken data) Sniffing truncated SPA packet.........pass (21)
(Replay attacks, broken data) Firewall rules do not exist...........pass (22)
(Replay attacks, broken data) SPA packet with bogus key.............pass (23)
(Replay attacks, broken data) Sniffing broken SPA packet............pass (24)
(Replay attacks, broken data) Firewall rules do not exist...........pass (25)
(Internal digest alg mis-match) Generating SPA packet...............pass (26)
(Internal digest alg mis-match) Sniffing SPA packet.................pass (27)
(Internal digest alg mis-match) Verifying SPA packet format.........pass (28)
(Internal digest alg mis-match) Firewall access rules exist.........pass (29)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(Internal digest alg mis-match) Firewall access rules removed.......pass (30)
(Internal digest alg mis-match) Stopping all fwknopd processes......pass (31)
(Client timeout) Generating SPA access packet.......................pass (32)
(Client timeout) Sniffing SPA access packet.........................pass (33)
(Client timeout) Verifying SPA access packet format.................pass (34)
(Client timeout) Firewall access rules exist........................pass (35)
(Sleeping for 10 seconds for firewall rule timeout)
10 9 8 7 6 5 4 3 2 1 0
(Client timeout) Firewall access rules removed......................pass (36)
(Client timeout) Stopping all running fwknopd processes.............pass (37)
(Append data) Data appended to SPA packet...........................pass (38)
(Append data) Sniffing appended SPA packet..........................pass (39)
(Append data) Firewall rules exist..................................pass (40)
(Rijndael Salted__ compatibility) Generating SPA packet.............pass (41)
(Rijndael Salted__ compatibility) Sniffing SPA packet...............pass (42)
(Rijndael Salted__ compatibility) Verifying SPA format..............pass (43)
(Rijndael Salted__ compatibility) Rules exist.......................pass (44)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(Rijndael Salted__ compatibility) Rules removed.....................pass (45)
(Rijndael Salted__ compatibility) Stopping fwknopd..................pass (46)
(Non-promisc capture) Generating SPA access packet..................pass (47)
(Non-promisc capture) Sniffing SPA access packet....................pass (48)
(Non-promisc capture) Verifying sniffed SPA access packet...........pass (49)
(Non-promisc capture) Firewall access rules exist...................pass (50)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(Non-promisc capture) Firewall access rules removed.................pass (51)
(Non-promisc capture) Stopping all fwknopd processes................pass (52)
(SPA aging) Generating SPA access packet............................pass (53)
(SPA aging) Expired SPA packet detection............................pass (54)
(SPA aging) Making sure firewall rules do not exist.................pass (55)
(Require SRC) Generating SPA packet with 0.0.0.0 src addr...........pass (56)
(Require SRC) Sniffing packet with 0.0.0.0 src addr.................pass (57)
(Require SRC) Making sure firewall rules do not exist...............pass (58)
(Require user) Generating SPA packet with unauthorized user.........pass (59)
(Require user) Unauthorized user detection..........................pass (60)
(Require user) Making sure firewall rules do not exist..............pass (61)
(Permit ports) Generating unauthorized port access request..........pass (62)
(Permit ports) Unauthorized port access detection...................pass (63)
(Permit ports) Making sure firewall rules do not exist..............pass (64)
(Bogus src) Generating SPA packet from non-matching src.............pass (65)
(Bogus src) Verifying SPA access packet format......................pass (66)
(Bogus src) Non-matching SOURCE block...............................pass (67)
(Bogus src) Making sure firewall rules do not exist.................pass (68)
(Excluded src) Generating SPA packet from non-matching src..........pass (69)
(Excluded src) Verifying SPA access packet format...................pass (70)
(Excluded src) Non-matching SOURCE block............................pass (71)
(Excluded src) Making sure firewall rules do not exist..............pass (72)
(Blacklist src) Generating blacklisted SPA packet...................pass (73)
(Blacklist src) Verifying SPA access packet format..................pass (74)
(Blacklist src) Sniffing SPA packet.................................pass (75)
(Blacklist src) Making sure firewall rules do not exist.............pass (76)
(Multi-SOURCE) Generating SPA access packet.........................pass (77)
(Multi-SOURCE) Sniffing SPA access packet...........................pass (78)
(Multi-SOURCE) Verifying SPA access packet format...................pass (79)
(Multi-SOURCE) Firewall access rules exist..........................pass (80)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(Multi-SOURCE) Firewall access rules removed........................pass (81)
(Multi-SOURCE) Stopping running fwknopd processes...................pass (82)
(GnuPG) Generating SPA access packet................................pass (83)
(GnuPG) Sniffing SPA access packet to acquire access................pass (84)
(GnuPG) Verifying sniffed SPA access packet format..................pass (85)
(GnuPG) Firewall access rules exist.................................pass (86)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(GnuPG) Firewall access rules removed...............................pass (87)
(GnuPG) Stopping all running fwknopd processes......................pass (88)
(Command execution) Generating SPA command packet...................pass (89)
(Command execution) Sniffing SPA command packet and executing.......pass (90)
(Command execution) Verifying SPA command packet format.............pass (91)
(Command execution) Making sure firewall rules do not exist.........pass (92)
(Command execution) Non-matching regex command packet...............pass (93)
(Command execution) SPA command packet filtered.....................pass (94)
(Command execution) Making sure firewall rules do not exist.........pass (95)
(FORWARD chain) Stopping all running fwknopd processes..............pass (96)
(FORWARD chain) Generating FORWARD chain access packet..............pass (97)
(FORWARD chain) FORWARD request detection...........................pass (98)
(FORWARD chain) FORWARD and DNAT access rules.......................pass (99)
(FORWARD chain) Verifying SPA FORWARD access packet format..........pass (100)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(FORWARD chain) Making sure firewall rules are removed..............pass (101)
(FORWARD chain) Generating FORWARD access SPA packet................pass (102)
(FORWARD chain) Verifying SPA FORWARD access packet format..........pass (103)
(FORWARD chain) FORWARD access to restricted IP.....................pass (104)
(FORWARD chain) Firewall rules do not exist.........................pass (105)
(OUTPUT chain) Stopping all running fwknopd processes...............pass (106)
(OUTPUT chain) Generating OUTPUT chain access packet................pass (107)
(OUTPUT chain) OUTPUT access rules..................................pass (108)
(OUTPUT chain) Verifying OUTPUT access packet format................pass (109)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(OUTPUT chain) Making sure firewall rules are removed...............pass (110)
(Filesystem tcpdump capture) Sniffing over lo.......................pass (111)
(Filesystem tcpdump capture) Stopping fwknopd processes.............pass (112)
(Filesystem tcpdump capture) Generating SPA packet..................pass (113)
(Filesystem tcpdump capture) SPA communications via file............pass (114)
(Filesystem tcpdump capture) Firewall access rules exist............pass (115)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(Filesystem tcpdump capture) Rules removed..........................pass (116)
Stopping all running fwknopd processes..............................pass (117)
Deleting all fwknopd iptables chains................................pass (118)
Verifying SPA digest file format....................................pass (119)
Collecting fwknop syslog messages...................................pass (120)
[+] ==> Passed 121/121 tests against fwknop. <==
[+] This console output has been stored in: test.log
Please note that it is not necessary to pass all steps. I still had one error at the conclusion of the test process (but still have a functioning server). If you receive any fails to the process above, further information regarding each particular step can be found in:
~/Source/fwknop/fwknop-1.9.3/test/output/std.stdout.<test_number>
cd ~/Source/fwknop/fwknop-1.9.3/test/output/std.stderr.<test_number>
These files are simple text files. I would recommend reading each file and post the particular debugging message in this forum if you are unable to troubleshoot the source of the error yourself.
III. Configuration of the FWKNOP Port Knocking Daemon
There are only two actual configuration files (fwknop.conf, access.conf) for the FWKNOP daemon process. These files are located in /etc/fwknop. Access to this directory can only be done as root. To access these files do the following:
sudo su
cd /etc/fwknop
gksu gedit <filename> (examples: gsku gedit fwknop.conf, gksu gedit access.conf)
exit
Modification of the /etc/fwknop/fwknop.conf file (Optional):
1. Changed ALERTING_METHODS from ALL -> noemail
---Rationale for doing this: I do not have a MTA (mail transfer agent) installed on my machine and would not like to receive email alerts everytime port knocker utility is accessed
2. Changed shCmd from /bin/sh -> /bin/bash
Modification of the /etc/fwknop/access.conf file (Mandatory)
The access.conf file is the heart of the Port Knocking Daemon. Options in this file control who can send packets, what incoming ports to open in the firewall after verification of the port knock, the duration of time to keep the port open for incoming connections, the type of encryption method expected for the port knock (symmetric vs asymmetric), and commands are to be execute on the fwknop daemon server. Example configurations are given in the file.
IV. Putting it All Together -- An Illustrative Example
The following example will demonstrate setup of a FWKNOP daemon server that allows a port knocking sequence to temporarily open the ssh incoming port (port 22) for 30 seconds, to allow an incoming ssh connection. For this first example I will assume the Single Packet Authentication (SPA) Port Knocking Sequence will be encoded using Rijndael encryption.
Requirements for Setup
1. Two separate computers - one acting as the fwknop/ssh client, and the other acting as the fwnkop/ssh daemon server. The client must have a valid ssh account on the server.
2. A running OpenSSH daemon on the server
3. An active Iptables Firewall on the server(which is turned off by default).
4. A port scanner on the client machine to verify opening an closure of the incoming port on the server (Port 22). Nmap will be our chosen port scanner.
5. Verification Steps to Ensure Everything is Working as Expected (Mostly applicable to server).
Client and Server Setup
(A Full explanation for the OpenSSH server setup may be found here: https://help.ubuntu.com/community/AdvancedOpenSSH)
Client Machine
OpenSSH
Client Operating System Platform:
Ubuntu (Linux Machine) or Mac OS X - OpenSSH client installed by default at time of installation.
Windows - OpenSSH client provided by installation of either cygwin (http://www.cygwin.com/) or putty(http://www.chiark.greenend.org.uk/~sgtatham/putty/).
FWKNOP
Client Operating System Platform:
Ubuntu (Linux) / MAC OSX - Follow instructions to install server as above. Server installation will automatically install a command line client program.
Windows - GUI client found here: http://www.cipherdyne.org/fwknop/download/. Additionally a command line cygwin client is also available by contacting the FWKNOP author.
Server Machine: Platform Ubuntu Linux
OpenSSH Server Installation
sudo aptitude install openssh-server
The server can be further enhanced to allow key-based authentication and disallow password based authentication. This would allow for the most secure authentication mechanism. If using key based authentication, I would recommend at least 2048 or 4096 byte rsa keys (1024 byte keys are the default).
FWKNOP Server Installation
Please see steps mentioned previously in this guide.
A Listening OpenSSH Server
By default the OpenSSH server listens on port 22. It is recommended this default port number be changed for security reasons via alteration of the /etc/ssh/sshd_config, however this example will assume port 22.
The OpenSSH server can be stopped and started via the following commands:
sudo /etc/init.d/ssh stop
sudo /etc/init.d/ssh start
Confirmation that the ssh daemon is listening is provided by netstat command providing output similar to:
$ sudo netstat -anlp | grep sshd
tcp6 0 0 :::22 :::* LISTEN 4396/sshd
The above shows a sshd listening process on port 22.
Please confirm that an ssh connection from client to server can be completed at this stage:
Client Machine:
ssh <user>@<IP_address_server>
Example
$ ssh sue@192.168.1.102
Ubuntu 8.04
Linux sudarshan 2.6.24-16-generic #1 SMP Thu Apr 10 13:23:42 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Thu May 29 22:24:58 2008 from 192.168.1.101
Linux sudarshan 2.6.24-16-generic #1 SMP Thu Apr 10 13:23:42 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
sue@sudarshan:~$
IPTables Firewall Setup on Server Machine
***If you already have an existing Iptables firewall established, please save the old configuration via:
sudo iptables-save -c > /etc/iptables-save
Later the iptables can be restored if needed:
cat /etc/iptables-save | sudo iptables-restore -c
****
Flush/Reset the iptables rule set to allow all ports:
sudo /sbin/iptables -F
sudo /sbin/iptables -F -t nat
sudo /sbin/iptables -X
From the client machine verify the ssh port on the server is open and visible to the outside world (Example assuming 192.168.1.102 is the IP address of the server - change depending on your configuration):
$ nmap -p 22 192.168.1.102
Starting Nmap 4.62 ( http://nmap.org )
Interesting ports on 192.168.1.102:
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:40:96:AF:E3:0C (Cisco Systems)
Nmap done: 1 IP address (1 host up) scanned in 0.453 seconds
Note the result above demonstrates that port 22 is open on the server and the ssh service is listening.
Next establish some basic firewall rules (Note that this will close all incoming connections -- please be aware of this -- modify to your specific situation -- Please note that this is an extremely basic firewall blocking all incoming connections other than those already established. In a production environment you would want to actually want a more fully featured firewall ruleset, but would want the default ruleset for port 22 (or ssh port) to be set to DROP ):
sudo /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo /sbin/iptables -A INPUT -i ! lo -j DROP
Manually verify from the client that the server ssh port 22 is closed:
$ nmap -p 22 192.168.1.102
Starting Nmap 4.62 ( http://nmap.org )
Interesting ports on 192.168.1.102:
PORT STATE SERVICE
22/tcp filtered ssh
MAC Address: 00:40:96:AF:E3:0C (Cisco Systems)
Nmap done: 1 IP address (1 host up) scanned in 0.660 seconds
Notice the difference in the results of the two nmap port scans:
Open Port 22: 22/tcp open ssh
Closed Port 22: 22/tcp filtered ssh
Verification could also be completed attempting to make a successful ssh connection from client to server. With port 22 open, a connection should be established. With port 22 closed, an attempted connection should time out:
$ ssh sue@192.168.1.102
ssh: connect to host 192.168.1.102 port 22: Connection timed out
Port Scanner Setup on Client Machine
If following the instructions, the nmap port scanner utility should already be installed. If you have not installed nmap:
sudo aptitude install nmap
Using nmap please verify that port 22 on the server is currently closed (or filtered), since the fwknop daemon will later act to dynamically open the port:
$ nmap -p 22 192.168.1.102
Starting Nmap 4.62 ( http://nmap.org )
Interesting ports on 192.168.1.102:
PORT STATE SERVICE
22/tcp filtered ssh
MAC Address: 00:40:96:AF:E3:0C (Cisco Systems)
Nmap done: 1 IP address (1 host up) scanned in 0.675 seconds
Please also verify that the OpenSSH server is listening on port 22 on the server behind the firewall:
On server machine:
$ sudo netstat -anlp | grep sshd
tcp6 0 0 :::22 :::* LISTEN 4396/sshd
FWKNOP Daemon Setup on Server
Configuration of the server's FWKNOP access.conf file
For this example's purpose, we are going to consider the fwknop password = Ubuntu2008. This password will act as the shared secret key for the Rijndael symmetric cipher. When authenticating the password, the server will open port 22 for incoming connections for a maximum of 30 seconds to allow for an establishment of a ssh connection.
gksu gedit /etc/fwknop/access.conf &
At the conclusion of the examples and comments:
SOURCE: ANY;
OPEN_PORTS: tcp/22;
DATA_COLLECT_MODE: PCAP;
KEY: Ubuntu2008;
FW_ACCESS_TIMEOUT: 30;
**Additionally when using the Windows Client GUI I had to make the following modification to the server's /etc/fwknop/fwknop.conf. This may not be applicable to your situation.
ENABLE_SPA_PACKET_AGING N;
The fwknop daemon is usually stopped/stared using the following syntax:
sudo /etc/init.d/fwknop stop
sudo /etc/init.d/fwknop start
For this tutorial, the fwknop daemon will be run in debug mode to see the process occuring on the server. The server will be started in debug mode in the terminal and the output sent to the terminal:
cd ~/Source/fwknop/fwknop-1.9.3
sudo perl ./fwknopd --debug
To kill the server later, hit Cntl-C while in the command window.
Putting It All Together and Unlocking the Port
With the fwknop daemon running on the server, use the fwknop client to issue the port knock. For command line clients (Change IP address given your particular setup -- My setup 192.168.1.101=LAN IP address of client, 192.168.1.102=LAN IP address of Server), the fwknop command has the following syntax:
fwknop -A <protocol/port> -a <client IP address> -D <server IP address>
This is one example of how to use the client. Additional options, switches can be found here: http://www.cipherdyne.org/fwknop/docs/manpages/fwknop.html
$ fwknop -A tcp/22 -a 192.168.1.101 -D 192.168.1.102
[+] Starting fwknop client (SPA mode)...
[+] Enter an encryption key. This key must match a key in the file
/etc/fwknop/access.conf on the remote system.
Encryption Key:
[+] Building encrypted Single Packet Authorization (SPA) message...
[+] Packet fields:
Random data: 5817642240590499
Username: <username>
Timestamp: 1212123357
Version: 1.9.4-pre3
Type: 1 (access mode)
Access: 192.168.1.101,tcp/22
SHA256 digest: NvUBz8l+T76KPqOSwvLMJO1n6sNjTLjuScSz6IIp5m8
[+] Sending 182 byte message to 192.168.1.102 over udp/62201...
After performing this knocking sequence, a nmap port scan of the server should show the following (My setup 192.168.1.102=Server LAN IP address)
$ nmap -p 22 192.168.1.102
Starting Nmap 4.62 ( http://nmap.org )
Interesting ports on 192.168.1.102:
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:40:96:AF:E3:0C (Cisco Systems)
Nmap done: 1 IP address (1 host up) scanned in 0.407 seconds
However 30 seconds later the port scan shows the following:
$ nmap -p 22 192.168.1.102
Starting Nmap 4.62 ( http://nmap.org )
Interesting ports on 192.168.1.102:
PORT STATE SERVICE
22/tcp filtered ssh
MAC Address: 00:40:96:AF:E3:0C (Cisco Systems)
Nmap done: 1 IP address (1 host up) scanned in 0.678 seconds
Again if the port knock is re-issued, an attempted ssh connection should be successful.
For debugging purposes, the contents received by the server can be visualized in the command prompt debug window. Once the server is up and thoroughly tested, the /etc/init.d/fwkop file should be modified and the -debug parameter removed (similar to process shown above).
V. Summary
Again our example demonstrated use of a Rijndael Single-Packet-Authentication Encrypted Packet that altered the hosts Iptable firewall and allowed temporary access to the underlying SSH port. The nmap port scanner utility verified that the server port was closed under normal operation, however was visible after the port knock was authenticated for a 30 second interval.
If interested I can provide additional details how-to encrypt the packet using GPG asymmetrical encryption (http://ubuntuforums.org/showthread.php?t=687173, http://ubuntuforums.org/showthread.php?t=649466)
Additionally I did not include examples of executing a process on the remote server, however an example of how to do this would be included in the /etc/fwknop/access.conf file.
Comments and additions are welcome.
Removal of FWKNOP
Assuming directory structure used in the guide (Again if using version number other than 1.9.3 please alter according to your configuration):
cd ~/Source/fwknop/fwknop-1.9.3
sudo perl ./install.pl --uninstall
sudo update-rc.d -f fwknop remove
Addendum
- FWKNOP SPA (Single Packet Authentication) Raw Data Packet (What the encrypted packet actually looks like when sniffed):
Raw packet data (single line): +CqkFkQUcR/9N5pdkpid6bZPnMJ60l49WOXm4/cDEDkL8xyC5nnPdmMZYCrTXkTyxWO1IsvrW6wWdyIhrOhFhOz0 kEknCuHl2Iiz4rs0ZOUG4etcPczuspp1FumPXbtdmnM7KmEAbT yFuGvYCWFMwZfoXjlhI0E75q3Yl2GAi974kfJi2hbI3L
- Contents of Encrypted Packet
Packet fields:
Random data: 7334473082601197
Username: <username>
Remote time: 1212209666
Remote ver: 1.9.4-pre3
Action type: 1 (SPA_ACCESS_MODE)
Action: 192.168.1.101,tcp/22
SHA256 digest: OmsuEDCXgYYzZ7WDnf+Jl2mt7EVYz2ixoIlLaCl2qmk
Server Commands
sudo ps -A | grep fwknop <---Will show if fwknop daemon is up and running. If fwknopd process is not listed then need to start fwknop daemon manually (sudo /etc/init.d/fwknop start)
More Fully Featured Firewall Script
#!/bin/sh
#
IPTABLES=/sbin/iptables
### flush existing rules and set chain policy setting to DROP
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
### state tracking rules
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
### ACCEPT rules
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -j DROP
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 10/second -j ACCEPT
#Uncomment OutLines in RED if Logging is Required
### Create a LOGDROP chain to log dropped packets
#$IPTABLES -N LOGDROP
### Log Ruleset (Logs all packets not captured above, before dropping)
#Change the Following Parameters to Limit the amount of Logging
#LOGLIMIT="2/sec"
#LOGLIMITBURST="10"
#Log level may be one of the following: debug, info, notice, warning, warn, err, error, crit, alert, emerg, panic
#LOGLEVEL = debug
#$IPTABLES -A LOGDROP -i ! lo -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "TCP DROP: "
#$IPTABLES -A LOGDROP -i ! lo -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "UDP DROP: "
#$IPTABLES -A LOGDROP -i ! lo -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL --log-prefix "ICMP DROP: "
#$IPTABLES -A LOGDROP -i ! lo -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level #$LOGLEVEL --log-prefix "IPTABLES UNKNOWN-IN: "
### Log All Dropped Packets
#$IPTABLES -A INPUT -j LOGDROP
exit
References:
Port Knocking Description and Links to Port Knock Utilities: http://www.portknocking.org/
Port Knocking Wiki: http://en.wikipedia.org/wiki/Port_knocking
FWKNOP: http://www.cipherdyne.org/fwknop/
Using GnuPG in conjunction with FWKNOP: http://cipherdyne.org/fwknop/docs/gpghowto.html
List of Various Port Knocking Implementations: http://www.portknocking.org/view/implementations
NMAP Port Scanner: http://nmap.org/
OpenSSH server setup on Ubuntu: https://help.ubuntu.com/community/AdvancedOpenSSH
GnuPG Advanced Concepts: http://ubuntuforums.org/showthread.php?t=687173
HowTo Compile GPG (version 1 and 2) from SVN with IDEA and Camellia Ciphers: http://ubuntuforums.org/showthread.php?t=687173http://ubuntuforums.org/showthread.php?t=649466