Portknocking

Port knocking sample client-server

Last updated: 18-jan-2005

This update contains the following improvements:

* configuration of the server is now located in a separate file

Example configuration file for the server:

#$Id: knockd.cfg,v 2.0 2005/01/18 11:57:19 len Exp $
 #knockd configuration file
 [main]
 #the file to monitor
 file=/var/log/all.log

#the pattern to watch for, note that you must have the
 #"ts", "from" and "port" groups (see python "re" module for more documentation)
 pattern=(?P<ts>...............) \w+ IN=eth0 OUT= MAC=[\w:]* SRC=(?P<from>[0-9\.]+) DST=[\d+\.]+.*?PROTO=TCP SPT=\d* DPT=(?P<port>\d+)

#must start with %Y
 date_format=%Y %b %d %H:%M:%S

open_seq=[4002, 7654, 6033]

#not used yet
 close_seq=[4003, 7432, 6021]

#max delay in seconds between knocks
 delay=3

#call this to open up the port, replace with your favorite command
 open_cmd=/bin/echo opening %from 4000

#call this to close up the port, not used yet
 close_cmd=echo opening %from %port

#internal
 #when the internal entry map is larger start cleaning old entries
 mapsize = 20
 #configuration end

the server can be started with: ./knockd.py knockd.cfg
* the scripts are no longer FreeBSD dependant, any log file can be configured using regular expressions and the command to execute can be configured (I tested on FreeBSD and Linux)
* the client has now command line parameters
-d: the ip of the target server (long parameter: –ipdest)
-q: the port sequence in format: “[port1, port2, port3]” (long parameter: –seq)

Port knocking

This is a simple implementation of the port knocking principle in python on a FreeBSD simple. It can be used as a starting point for a more complex system or just as a simple example of the principle.

There are 2 parts:

• The server which monitor firewall deny logs and, if a sequence of denied requests is present in an interval, opens a port for the machine originating the sequence (for example the port 22 for a ssh connection).
• The client which tries to make connections on ports on the target machine in a specific order in an interval (the secret knock).

Requirements

I tested the samples on:

• server: FreeBSD with ipfw and python 2.2, no port open (for another configuration you need to change the parsing rules and firewall manipulation commands).
• client: FreeBSD with python 2.2 (should work on almost all machine with python installed, even windows).

Links

• slashdot
  article
• portknocking
• another
  article