Friday, October 20, 2006

Generate one-time-sequences file for knockd

I've been playing a little with knockd, mostly just for fun. It's a program that listens to all traffic, waiting to hear "hits" to a special sequence of TCP/UDP ports. These hits constitute a knock. When somebody gives the correct knock the program performs a custom action, usually opening up remote access to the host sending the knock.

For instance, if I want to mitigate SSH brute force attempts, I first close all ports on the firewall, then fire up knockd. When knockd hears the correct knock sequence, it opens access to TCP port 22 for 10 seconds to the "knocker", who must authenticate via SSH during those 10 seconds. Then it closes new requests to port 22, but allows the established SSH session to continue.

What about eavesdroppers listening for the knock sequence, you ask? Very good question! You have the option of using a one-time-sequences file. It's just a list of different knocks that you come up with. The client and server both have the list and they use each sequence only once. That way anybody can listen to the knock sequence and will not know what the next valid knock will be.

Here's a simple perl script to generate the secret one-time-sequences file

## The number of knock sequences to generate
$num_knocks = 1000;
## The number of ports in each knock
$knock_size = 10;

for (1...$num_knocks)
   print " ";
   for (1..$knock_size)
     print int(rand(64511) + 1024);
     print "," unless $_ == 10;
   print "\n";

Redirect the output into a file and put that file on both computers. Use it for the one_time_sequences directive of knockd. The knock client needs a little trickery to use the file. I'll later share a script that does just that!

No comments: