port knockingFor NBS System, cybersecurity is a vital element of IT. However, it is not always easy to handle the access to a machine easily while guaranteeing its safety. If you want to connect to a server from a different IP address than the one you usually use, and if this IP is not known by the firewall protecting this server, you cannot access. If you already know the IP you will use, you can of course authorize the connection beforehand, directly on the firewall. But if you are traveling,using a hotel’s or bar’s wifi connection, or even using your phone’s connection, it is no longer possible.

And yet, there is a simple solution to tell the firewall that you are indeed legitimate, and can connect to the server you want: port knocking.

Beware: this solution only has to be used with the TCP protocol, not the UDP protocol, in order to limit the risks of spoofing.

What is port knocking?

porte knocking

Port knocking consists in configuring a firewall so that when a precise series of actions is taken, the IP doing these actions is whitelisted and can thus connect to the protected server. Each of these actions is actually the sending of a packet on a precise port. It is as if you had to knock on a door a precise number of times, with a precise rythm, for the door to open.

Let us see a practical case:

You preconfigured your firewall for it to add to its whitelist any IP sending a packet to port 22, then a packet to port 33, then to port 44, then to port 4242.

Once connected with an unusual IP address, you only have to use a port knocking client, which will send the right packet chain, and you will have access to your server. There are clients for Linux (Knockd, or you can use an Netcat), Windows (Knock Knock), Mac (Doorman), iOS (Knockond), Android (Port knocker)…

Configure your port knocking on Linux

Let us take the example of a Debian machine. First of all, install Knockd (apt-get install knockd), and edit the “/etc/knockd.conf” file to insert your port chain:

[options]
             UseSyslog[open]
             sequence    = {your port chain, separated with a comma}
             seq_timeout = 30
             command     = ipset add whitelist %IP%
             tcpflags    = syn

Be careful, choose chains that are unlikely to be made by anyone else! For instance, avoid the classic chains of port scanners such as “20, 80, 443”.

Once this is done, you will see that Ipset is used to add the IP in a whitelist. You then only have to use the Iptables rules you want to open your access, or else add the following line in your firewall’s configuration:

iptables -A INPUT -m set –match-set whitelist src -p tcp –dport 22 -j ACCEPT

You can also have the IP addresses of the whitelist have remote access to another machine of your network (LAN) with a port redirection (NAT pre-routing), which guarantees a secure connection. To do that, use the following instruction:

iptables -t nat -A PREROUTING -m set –match-set whitelist src -p tcp –dport 3389 -j DNAT –to 192.168.0.5
iptables -A FORWARD -m set –match-set whitelist src -p tcp –dport 3389 -d 192.168.0.5 -j ACCEPT

For more information about port knocking, visit the website http://portknocking.org/!

Source : Philippe Humeau

Lucie Saunois
Lucie Saunois
IT aficionado, specifically when it comes to cybersecurity, since she joined OT Group in 2015, Lucie specializes in making technical, and often complex, topics understandable by anyone.