In the field of IT systems security, although concept of “port knocking:” is relatively new, but with passage of time, it is getting popular among system administrators. According to wikkipedia, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specified port(s). The primary purpose of port knocking is to prevent an attacker from scanning a system for potentially exploitable services by doing a port scan, because until the attacker sends the correct knock sequence, the protected ports will appear closed.
More specifically, Port knocking works on the concept that users wishing to attach to a network service must initiate a predetermined sequence of port connections or send a unique string of bytes before the remote client can connect to the eventual service.
For example, suppose that a remote client wants to connect to an FTP server. The administrator configures the port-knocking requirements ahead of time, requiring that connecting remote clients first connect to ports 2000, 4000, and 7107 before connecting to the final destination port, 21 on FTP server. The administrator tells all legitimate clients about the correct “combination” of knocks to port knocking daemon running on FTP server and hence when they want to connect to FTP service, they simply send these knocks to the server and then start using FTP service. Question arises, what is the basic advantage of the additional step of sending knocks and then connecting to FTP service. Answer is simple; FTP service is not always running on server, it will get start once the correct port knocks are sent to server and dies out once it receive other predefined sequence of port knocks. This possible backdoor to business critical server is , therefore only be opened for a very short time and that is, when it is required essentially by business needs and is closed as soon , thereby avoiding chances of any malicious attacks.
In this article, I will try to cover implementation of port knocking on RHEL, using a very famous open source port knocking tool and most importantly will try to extend the idea of port knocking beyond simple firewall changes to some more complex system administration tasks.
Port Knocking – a basic Overview
Now let’s have a review on basic functionality of port knocker mechanism. As described earlier, in such implementations, Knockd is usually a port-knocking application or daemon which silently runs on a server passively listening to network traffic. Once it will see a port sequence it has an action configured for it, it will run that action. So while implementing port knocking technology, we usually start with installation of port knocker daemon, which once installed, start in background or foreground. We then configure some port sequences (tcp, udp, or both), and the appropriate actions for each sequence in this port knocker daemon configuration. Once, port knocker daemon senses this specified sequence, it execute the action (which in most of scenarios EXECUTION OF command to modify existing firewall rules).
This simple and basic port knocking implementation has faced some critics also. In point of view of some IT security professionals, use of predefined and fixes sequence of knocks, itself presents a security breach. To over come this, many port knocking implementations have been modified slightly. In these advanced implementation, port knocker daemon generates a random sequence of knocks and then clients use these knocks sequence to open door to business critical servers.
It should be noted down that port knocking mechanism should always be complimented by your native security techniques, so that even if a hacker manage to trap knock sequence , he should still be challenged by passwords prompt etc, before connecting to service.
The biggest advantage of all is that port knocking is platform-, service-, and application-independent: Any OS with the correct client and server software can take advantage of its protection. Although port knocking is mainly a Linux/Unix implementation, there are Windows tools that can do the same thing.
There is a valuable list of various port knocking implementations available at http://www.portknocking.org/view/implementations..
You can choose tool of your choice from this website. I selected “Knockd”, which is considered to be one of the most famous and robust implementation of port knocking mechanism for Linux and Unix.
Port Knocking and database security
Now we proceed towards possible extensions of port knocking mechanism. In my scenario, a business critical mysql based application, running on RHEL enterprise server require sometimes remote connections from DBA for basic database maintenance activities. I could not allow such remote database connections, all the time and from each and every possible IP address due to corporate security requirements. As a result, I decided to go for exploration of port knocking mechanism , so that it can be known whether it can help me in achieving my objective or not?
First of all, let’s start with Linux firewall tool (IPtables) itself. IPtables command with –A parameter append the filtering rule in last to the existing chain while –I parameter insert the rule into specific position within chain. It is important that with –I parameter, you have to put rule number (rule with rule number 1 will have priority over rule number 2 and so on).
Now to secure mysql connections to my database server (172.16.2.183), I first of all blocked network traffic on server’s mysql port (default 3306) coming from everywhere. For this purpose, I executed following command
#/home/root>iptables –A INPUT –p tcp –s 0/0 –d 172.16.2.183 --dport 3306 –j REJECT
Then I save this rule permanently.
#/home/root>iptables-save
Next step would be installation of knockd server software on RHEL box. I then download the rpm from RHEL network and install knockd rpm (knock-0.4-1.2.el4.rf).
I then customized /etc/knockd.conf file as follows:
-------------------------------------------------------------------------------------------------
[options]
logfile=/var/log/knockd.log
[DB2clientopen]
sequence = 7050,8050,9050
seq_timeout = 10
tcpflags = syn
command = /sbin/iptables -I INPUT 1 -p tcp -s 192.168.2.201 --sport 1024:65535 -d 172.16.2.183 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
[DB2clientclose]
sequence = 9050,8050,7000
seq_timeout = 10
tcpflags = syn
command = /sbin/iptables -D INPUT 1
-------------------------------------------------------------------------------------------------
As it is obvious from the above knockd.conf file format, there are two types of actions which will be executed by knockd daemon, depending upon knocking sequence it receives.
First, if it receive knock sequence of 7050, 8050 & 9050, knockd daemon will insert a IPchain rule with rule number 1 in input chain so that mysql database port connection will be opened from database administrator PC ( 192.168.2.201) only. On the other hand, if it receives knock sequence of 9050,8050, 7000 it will simply delete IPchain rule with rule number of 1 so that database remote access would be closed down once again.
I resolved my DBA PC ip address with hostname of ‘dbawin’ using /etc/hosts file and created a test database ‘test1’. I then created a user “test1” with password and grant privileges to user “test1” as follows:
#/home/root> mysql -u root test1
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 404 to server version: 5.0.21-standard-log
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> create user test;
mysql> grant all privileges on *.* to ‘test@dbawin’ identified by ‘polanipass’ with grant option;
I then restarted knockd daemon in background using the command. It should be noted down that by default knockd daemon will start listening on eth0.
#/home/root> /usr/sbin/knockd –d
I then downloaded, windows based cygwin knock client and then go to DOS prompt of my DBA PC t to knock the knockd daemon with sequence:
C:\KNOCK\KNOCK\WINDOWS>knock.exe 172.16.2.183 9050 8050 7000
As a result of this knocking, Knockd daemon will execute iptables command mentioned in [DB2clientopen] section of knockd.conf and add the rule in INPUT chain to allow DB2 PC to connect to database running on server.
Now you can do the testing with windows based mysql database client (like SQLyog), which will connect to to mysql server easily.
Now if you knock database server with other knock sequence (9050, 8050, 7000), this remote connection will be disallowed. This time you will get “Access error” dialogue message with same client, thereby confirming proper functioning of knockd daemon.
It is obvious now that you can easily use knockd to ensure security control on remote connections to mysql database (and in general to any database), It is totally independent of the fact that whether source of remote connections to database is DBA PC or application server or web server. A more practical usage of this controlled access to database may be time based access, where corporate want to allow their application servers to access backend database till the day end business. For this purpose, execution of knock client with proper knock sequence from windows workstation can be scheduled as a batch script.
Port Knocking and system administration tasks
Using port knocking for performing remote system administration tasks is great idea, but I had never seen any example for that. So I decided to explore strength of port knocking mechanism to do the other system administration tasks, besides just changing firewall rules.
I just modified /etc/knockd.conf file to perform a system restart on one knock sequence and start a backup on tape drive for other sequence. I just restarted knockd daemon to make these changes effective and then tested actions on these knock sequences. Every thing well went well and system restart on first knock sequence and backup was started on second sequence.
--------------------------------------------------------------------------------------------------------
[options]
logfile=/var/log/knockd.log
[systemreboot]
sequence = 7050,8050,9050
seq_timeout = 10
tcpflags = syn
command = /usr/bin/reboot
[systembackup]
sequence = 9050,8050,7000
seq_timeout = 10
tcpflags = syn
command = /usr/bin/tar –cf /dev/rmt0 /home/root/
------------------------------------------------------------------------------------------------------
In this way, you can ask operators to use these port knock sequences to perform these basic system administration tasks (and many more), without having root user privileges.
You can also
Summary:
Port knocking is a very useful tool for systems security. It is because of its usefulness and robustness that number of its implementation and its users are growing rapidly. If you can open a door into closed black box for sometime to perform some system administration tasks, even without requirement of login to system, it can be very ideal for most of secured environments. However, it is always a good idea to secure your port knocks by keep changing these knocks frequently (or you can use some random seed generators to create random port knocks). Knock the box and get the tasks done, whichever you want to do.
About Author: Khurram Shiraz is Technical Consultant at GBM, Kuwait. In his eight years of IT experience, he worked mainly with IBM technologies and products especially AIX, HACMP Clustering, Tivoli and IBM SAN/ NAS Storage. He also has worked with IBM Integrated Technology Services group. His area of expertise includes design and implementation of high availability, security and DR solutions based on AIX, Linux and windows infrastructure. He can be reached at kshiraz12@hotmail.com
No comments:
Post a Comment