We blogged about ipt_pkd in our previous posts here.
So, “ipt_pkd is an iptables extension implementing port knock detection. This project provides 3 parts: the kernel module ipt_pkd, the iptables user space module libipt_pkd.so, and a user space client knock program. For the knock packet, it uses a UDP packet sent to a random port that contains a SHA-256 of a time-stamp, small header, random bytes, and a shared key. ipt_pkd checks the time window of the packet and does the SHA-256 to verify the packet. The shared key is never sent.”
Now, ipt_pkd has been updated to version 1.6!
These are the changes made: This version was updated for Linux 2.6.32 and iptables 1.4.6. A new knock client was added, written in C# and works on both Linux and Windows and encrypts configuration data. A pre-built kernel module, an iptables library for vyatta community edition 5, and a small install script for vyatta were added.
If you have read our last few posts, you already what a port knock is. We had mentioned about it here when we wrote about winKnocks. Today, we are going to blog about ipt_pkd.
Port knocking per se can be very dangerous if you were to try it on your own firewall without any authentication mechanism. winKnocks is a good option though its implementation is mainly for Windows. So what do you do to protect your Linux based firewall, when you do want to use an option of port knocking? Simple – use ipt_pkd! ipt_pkd is an iptables extension implementing port knock detection. It makes use of single packet authorization. The knock packet is a sha256 of a timestamp, some random bytes, a small header, and a shared key, sent via udp. The timestamp and the bytes are passed in the packet so the server can do the sha256 and compare the results. If its a match then the pkd module returns true, otherwise false and any more packets from the sender are dropped. To eliminate a replay attack, the source and destination ports are used in the hash!
There are two versions – one in C and the other in Python. The open source package has a small python script-knock.py which is a python implementation of ipt_pkd which reads the necessary information from ipt_pkd.ini. You can have it accept 3 options – a 40 bytes long-hex-shared key, a window (time until it waits for a valid knock from a system) and a 4 byte long tag which helps in speeding up the processing. You can make use of “hitcount” to maintain a control over the number of times you would like the knock until it is dropped,reset, etc.
