We blogged about ipt_pkd in our previous posts here.
So, “ipt_pkd is an iptables extension implementing port knock detection. This project provides 3 parts: the kernel module ipt_pkd, the iptables user space module libipt_pkd.so, and a user space client knock program. For the knock packet, it uses a UDP packet sent to a random port that contains a SHA-256 of a time-stamp, small header, random bytes, and a shared key. ipt_pkd checks the time window of the packet and does the SHA-256 to verify the packet. The shared key is never sent.”
Now, ipt_pkd has been updated to version 1.6!
These are the changes made: This version was updated for Linux 2.6.32 and iptables 1.4.6. A new knock client was added, written in C# and works on both Linux and Windows and encrypts configuration data. A pre-built kernel module, an iptables library for vyatta community edition 5, and a small install script for vyatta were added.
If you have read our last few posts, you already what a port knock is. We had mentioned about it here when we wrote about winKnocks. Today, we are going to blog about ipt_pkd.
Port knocking per se can be very dangerous if you were to try it on your own firewall without any authentication mechanism. winKnocks is a good option though its implementation is mainly for Windows. So what do you do to protect your Linux based firewall, when you do want to use an option of port knocking? Simple – use ipt_pkd! ipt_pkd is an iptables extension implementing port knock detection. It makes use of single packet authorization. The knock packet is a sha256 of a timestamp, some random bytes, a small header, and a shared key, sent via udp. The timestamp and the bytes are passed in the packet so the server can do the sha256 and compare the results. If its a match then the pkd module returns true, otherwise false and any more packets from the sender are dropped. To eliminate a replay attack, the source and destination ports are used in the hash!
There are two versions – one in C and the other in Python. The open source package has a small python script-knock.py which is a python implementation of ipt_pkd which reads the necessary information from ipt_pkd.ini. You can have it accept 3 options – a 40 bytes long-hex-shared key, a window (time until it waits for a valid knock from a system) and a 4 byte long tag which helps in speeding up the processing. You can make use of “hitcount” to maintain a control over the number of times you would like the knock until it is dropped,reset, etc.
Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of pre-specified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific ports. winKnocks is an encrypted port knocking tool.
winKnocks makes use of DES algorithm to encrypt the payload of each packet. winKnocks is divided into two parts: Knocker and Listener. A secret password shared between the two for communication. They are both written in Java and have a Swing GUI. The project is open source. You can specify the number of packets of each knock sequence and details of the packets. It supports UDP, TCP and ICMP packets. A few of its features are:
it is easy-to-use because it runs using Windows firewall.
the user can send knock sequences also to already opened ports: the tool captures packets at data-link level in non-blocking mode
flexibility: there are not predefined knock-sequences, the user may define sequences that contain 1 packet to execute non-dangerous actions, 10 packets, 100 packets…to execute very important actions
the tool does not need a predefined set of unused ports
the knock sequences are defined in XML and the advantages are well-known!
replay attacks are neutralized because the payload of each packet contains the timestamp and a random number
the Knocker can send smoke packets, which can be distinguished by the listener.
The Knocker looks like:
When the listener receives “knocks”, you can have it perform activities like opening a port, closing a port or running a bash script. You can also log all the activities.
If this project attracts you enough, you can download it here.
