Portknocking for SSH and other services

Open forum for security issues and info.
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
User avatar
shel
Posts: 304
Joined: Fri Jan 13, 2006 11:25 am
Location: Uzes, France or Seattle, WA, USA

Portknocking for SSH and other services

Unread postby shel » Sat Jan 28, 2006 11:19 am

In another thread ...
Alver wrote:You use port knocking for ssh? That's most interesting... perhaps something for a different thread, otherwise this one might go somewhat offtopic ;) I found the port knocking idea remarkable but never tried it, I don't run many services anyway (ircd and ssh only, and ssh is restricted to one single host... so I'm not really in need of it).

I used to just have the SSH port open to the civilized world, but the number of attacks it attracted convinced me to close it off to everything but my LAN and certain known locations.

I still needed occasional SSH access from unanticipated locations, though, so I implemented a really simple portknocking arrangement. It uses a special "knocking" port to detect the IP address of a potential SSH user. SSH is still restricted to certain users, of course; the knocking arrangement just allows me to keep the SSH port closed except to certain IP addresses. You knock on one port, and the other port opens.

I did it this this way:

Open the SSH port bidirectionally through the firewall. Forward those packets to the portknocking/SSH machine.

Open a non-priviledged port to incoming connections through the firewall. Forward those packets to the portknocking/SSH machine, too.

Don't allow any outgoing packets on the "knocking" port.

On the portknocking/SSH machine, restrict SSH access by IP address (I use ipfilter) at the machine level.

On the portknocking/SSH machine, log any connections to the "knocking" port.

Attached to that port, a shell script detects a connection, waits a bit, parses the log to grab the IP address of the connecting client, and tells ipfilter to open the SSH port to that IP address. The script is attached to the port via the usual /etc/services and /etc/init.d method.

That's about as simple as it can get. I wouldn't rate it as "NSA-quality" security, since it depends on obscurity, but a potential attacker would have to guess the knocking port number, know a certain characteristic about his connection to it, and know how long to wait for the SSH connection to become active.

It's been in place for over a year, it's been really handy, it's been completely reliable, and the knocking port hasn't even been probed, much less explioted. The closed-off SSH port gets probed many times a day.

I imagine this would work for almost any service.

-Shel

User avatar
squeen
Moderator
Moderator
Posts: 2933
Joined: Fri May 09, 2003 6:10 am
Location: Maryland, USA

Unread postby squeen » Sat Jan 28, 2006 7:14 pm

Clever! Thanks for sharing that. You could go one step further and have a"secret knock". A sequence of port knock in a required order before ssh would open up.

User avatar
foetz
Moderator
Moderator
Posts: 6544
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Unread postby foetz » Sat Jan 28, 2006 7:19 pm


User avatar
shel
Posts: 304
Joined: Fri Jan 13, 2006 11:25 am
Location: Uzes, France or Seattle, WA, USA

Unread postby shel » Sat Jan 28, 2006 8:57 pm

squeen wrote:Clever! Thanks for sharing that. You could go one step further and have a"secret knock". A sequence of port knock in a required order before ssh would open up.

I'm sure much more sophisticated implementations are possible. Foetz supplies a reference (above) to http://www.portknocking.org, which has all sorts of stuff.

My method is adequate for the use to which it's being put, and has the virtue of simplicity, but it's not slick.

-Shel


Return to “SGI: Security”

Who is online

Users browsing this forum: No registered users and 1 guest