Add Security Layer To Server With Port Knocking Tool 'knockknock'

[diggler]

I'm trying to "hide" the fact that SSH + deluge are running when port scanned. I think my options are I can firewall the server, open SSH port and keep it visible, and get to the deluge by going to localhost:8112 after a ssh -D $someport. Or, I can use knockknock and hide SSH and Deluge but need to keep 1outbound+1inbound tcp port open for deluge xfers (or use knockknock-proxy).

- Server(s) running Ubuntu 10.10 --> 12.04

- knockknock --> http://www.thoughtcr...are/knockknock/

- SSH

- deluge-torrent.org/

1. Has anyone on the forums attempted to setup port knocking with knockknock before?

2. Am I correct in assuming that it would be wise to NOT use UFW to configure my firewall and instead rely strictly on iptables? I believe this to be true because knockknock will need custom iptable entries to work.

3. SSH seems simple to think through. Knock on one port and connect. All Inbound+Outbound traffic flows over one port after the connection is established -- easy enough.

4. I threw in an application like Deluge because I can't get my head around the firewall logic. "deluged" runs as a local daemon on the server. Once a Torrent is added it needs two ports to operate (1 Inbound + 1 Outbound). "deluge-web --fork" is a web gui to add/remove Torrents. It runs on a separate port (8112 by default), for a total of three.

My best guess is to create a knockknock rule for the web gui (8112) and leave deluge's inbound (5000) + outbound (6000) ports open and standard SSH knockknock rule.

OR should I use the knockknock-proxy?

Can anyone contribute/comment on how this should be setup?

THANKS

Edited August 30, 2012 by diggler

[Sitwon]

Why knockknock rather than fwknop? I've been using fwknop's Single Packet Authentication (SPA) for over 5 years to protect my public-facing SSH servers.

[diggler]

From creators of fwknop:

"> After weeks of reading about port knocking, security and its

> implications I went on a hunt to find the best tool for implementing

> 'secure' port knocking. I came across your website and tool, fwknop at

> http://www.cipherdyne.org/fwknop/. From what I have read I think it's

> the best possible tool. Obviously you're biased, but perhaps there's

> other options you've grown fond of as well?

I would say that the most interesting competing implementation is Moxie

Marlinspike's "knockknock". However, fwknop makes several design

decisions that are at odds with those made by knockknock, so the

solution you choose probably depends on which of these design decisions

you agree with. Here are a few decisions made by fwknop that are direct

opposites of those made by knockknock:

- fwknop does not require a heavyweight interpreter like perl or python

to be installed on the server (or the client).

- fwknop does not require trusting an IP address in the network header

(it is possible to mount a MITM attack against any SPA implementation

that does trust the source IP in the header vs. an IP that is

encrypted within the SPA payload - the later is what fwknop does with

-a or -R on the fwknop client command line).

- fwknop does not require root access on the client side because it

doesn't manipulate raw packet headers - this brings SPA functionality

to devices like the iPhone and allows any normal user to use it.

- fwknop does not require specialized logging support on the server

side, and a consequence is that it easily supports multiple firewalls

(it currently supports iptables, ipfw, and pf).

- fwknop is able to run on embedded systems.

- fwknop is scalable to lots of users.

> I write to you today because I'm attempting to implement fwknop on VPS

> powered Ubuntu servers, ranging from 10.10 to 12.04, for securing SSH

> (port 443) and a HTTP web gui (http://x.x.x.x:5000). I found a 'how

> to' guide (http://ubuntuforums.org/showthread.php?t=1926699) but

> haven't came across much else.

>

> Am I correct in assuming that what fwknop does (not how it works) is

> it essentially opens up the remote server port for a set period of

> time to allow for the normal operation of the services?

Yes, that is a fair description of how fwknop works. I might add that:

1) The opened port is only open for the specific IP that is encrypted

within the SPA packet

2) There are tricky ways to leverage NAT on iptables firewalls such that

connections to one port can be translated into actually accessing other

ports, and this can apply to connections both to the system where

fwknopd is running or connections through to other systems too.

> Do you have any recommendations or "setup guides" that may help me in

> my quest to setup fwknop securely? Do you have any scripts, or other

> recommendations that may make the process easier?

I'm working on this - there is some information on my blog, but it needs

to be extended."

From Moxie:

"

> - fwknop does not require a heavyweight interpreter like perl or python

> to be installed on the server (or the client).

This is probably the biggest difference. It seems fwknop considers this

a bad thing, where as I consider it a good thing.

Basically, I see the purpose of port knocking as protection against

network services written in "unsafe" languages like C. So naturally, I

don't want to replace them with... another network service written in an

unsafe language, using an enormous library written in an unsafe language

(libpcap).

knockknock is designed to be extremely simple, and not dependent on any

complex native code. It's just a small python script that tails a log

file -- can't get much safer than that."

[Sitwon]

Not to bash on Moxie, because I understand his point and it is valid, but those heavyweight interpreters are themselves implemented in "'unsafe' languages like C", and they are certainly larger code bases to audit than libpcap.

I haven't used knocknock, however I have been using fwknop for quite a while and I trust it. Michael Rash has always been extremely responsive and his talk at HOPE was sufficiently full of technical detail to both bore me to tears and convince me that he knows what he's talking about. (Which is not to say that Moxie doesn't, he is also an impressive and competent developer.)

I will break out an Ubuntu VM tonight/tomorrow so I can work up some example configs and instructions to get you started with fwknop (since that's the one I know) unless you're set on on using knockknock.

[diggler]

Definitely interested in using fwknop. It just looked like a bitch to implement correctly. Would definitely use it if there was a tutorial. Cheers..

[Sitwon]

Sorry about not getting back to you on this sooner. So what I dug up is that nearly all the guides out there currently are written for the pre-2.0 version of fwknop. That isn't necessarily a big deal, because the config files are almost identical (and generally well commented) but the building part is a bit different now.

With fwknop-2.0 you need to 'apt-get install build-essential' and do "./configure && make && sudo make install" to build and install.

By default it will drop everything in /usr/local/ so you'll need to adjust paths slightly from what the guides you'll find recommend. You'll also probably need to write your own init script, it doesn't seem to install one and I didn't see on for Debian/Ubuntu in the source tree (didn't look too hard to see if the examples they had would be suitable, but it isn't hard to write init scripts).