Sigknock

Contents

What is Sigknock?

You might know the concept of "portknocking". The idea is to protect a TCP or UDP port in such a way, so that only the person knowing a certain "secret" can access the service behind the port. In portknocking, the secret is a certain sequence of connection attempts to other ports. For example, the portknocking daemon could be configured to only allow access to TCP port 22 (ssh) if the portknocking client first attempts a connection on port 1782, then on port 123, then on port 9089, then on port 12311, and so on. It is comparable to a traditional safe - only the person who knows the combination can open it.

While the idea is nice, the actual concept has a few flaws. The biggest flaw is that this is not safe against replay attacks. Anyone sniffing on the line can simply replay the sequence to open the port. This is like someone recording the person who opens the safe on video and thereby learning the combination.

Instead of a knocking sequence, sigknock uses a challenge-response-protocol combined with digital signatures. This way, a person can cryptographically secure prove his identity to the server. In short, the server generates a challenge which the client has to sign. The result is sent back to the server. Replay attacks are impossible this way, because the challenge is only valid for a single request.

Additionally, sigknock is tightly integrated into iptables, the Linux firewall facility. In fact, it is a so called iptables "match" that you can use anywhere in your rules! You can allow access to certain ports, control who is allowed to use NAT, say who can send traffic out at all, only to name a few applications.

Sigknock uses GnuPG both on the server and client side for maximum security. GnuPG is recognized to be secure by hundreds of experts around the world. I really prefer to use such a well tested product as a basis for sigknock's cryptographical alogrithms instead of a custom implementation by myself. I'm a programmer and not a cryptoanalyst.

Features

Please refer to the Sigknock Administrator's How-To for more information. It comes with the distribution and covers installation, configuration and use of Sigknock, as well as some sample scenarios.

Here a sample scenario from the aforementioned howto, just to quicken your appetite :-)

Protecting the SSH port, also using connection state match

Suppose you want to protect your SSH-port, so only "John Doe" can connect to port 22. The port shall be closed again after John Doe connects to it. The rest of the server's firewall rules shall stay unaffected (so no playing with the rule policies etc).

The idea is to only allow established connections per default, so noone can get in in the first place. Then we add a rule where new connections are only allowed after a successful signature knock. This is the only way to establish a connection.

// we accept already established connections to the ssh-port
iptables -A INPUT -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

// now, accept NEW connections only after a successful signature knock for John Doe
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m sigknock --uid \
"John Doe <john@doe.com>" --close-after-syn -j ACCEPT

// and drop the rest (e.g. unauthorized connection attempts etc)
iptables -A INPUT -p tcp --dport 22 -j DROP
   

Download

Sigknock is distributed under the terms of the GPL. The current version is 1.0 which you can download here:

sigknock-1.0.tar.bz2 (GnuPG signature against my key)

Authorship, Credits

Sigknock was written in 2004 by Thomas Wana <thomas@wana.at>.

Last update: