Kroon Information Systems

Portknock is a simple program to do port knocking. What is port knocking? I'm not excactly sure where this comes from but as far as I understand it you knock on a port if you merely send it a SYN packet and then never respond again. This is normally a sure sign of being port-scanned or being under a SYN-storm (A type of denial of service attack).

So what does portknock do for me anyway? It is simply a program that taps into your firewall (ulogport can be used to do this for iptables) and then, depending on the knocks it receives, execute certain commands on the server. This can be used to for example open ssh to a specific ip for a specific period of time (sample script included for a silly firewall - it would be better to create seperate portknock_in and portknock_out chains). It can be used to execute any command on the server.

How does it work? This is probably the hardest question to answer, conceptually it's very simple. It sends a series of SYN packets to the server (never expecting anything back - which caused quite a bit of confusion), the server then receives these packets and executes the associated command.

At a more practical level, the server must have a range of 256 consecutive unused ports (which should preferably not be used for anything else). Your firewall should be configured to log incomming syn packets on this port to the portknock server (iptables to ULOG to ulogport works for me) as a line per packet formatted with "destination_port source_ip". portknockd will then check whether the port is in the valid range, after it has been validated, it will be added to the queue, after which the queue is checked for a correct length sequence from the last ip it received a packet from. If such a sequence exists, it'll adjust the ports by the base port value to form a sequence of numbers from 0 to 255, it will then pack this sequence into a block and attempt to decrypt it using a private key (MD5 hash formed from a passphrase) using the rijndael algorithm (at the time of writing anyway). It will then check the crc (actually just a 8-bit xor parity check), after which it will proceed to attempt at analysing the data inside the sequence (decrypted). If we pass this stage, the command assiciated with the decrypted sequence will be executed.

Obviously the portknock client has to first construct the decrypted sequence, encrypt it, unpack it to port numbers and send the packets. I still need timeout code for windows, it'll deffinately not support alarm().

Download: portknock-1.0.tar.gz (30KB)