Portknocking-Daemon-GUI or Package –> {CANCELED}

heiko · Mar 28, 2007, 7:31 PM

Excuse me, the german date translation is for other people abnormal, i think..

The offer will be dropped at Year = 2007 ; Month = Mai, Day = 01

I hope, this is undestandable.
Greetings
heiko

sullrich · Mar 28, 2007, 8:16 PM

I will be taking this one on as soon as you declare time based rules a success.

heiko · Mar 28, 2007, 8:57 PM

OK, i am await for finished time based ruled system.Then we could arrange "portknocking"
greetings
heiko

heiko · Mar 29, 2007, 10:30 AM

Hello Scott,
one Extension: I want to blocking countries and i know from another thread, that this is implemented in HEAD. Can you backported this to a productive PFSENSE-RELENG-SNAPSHOT Version?

Portknocking = 500 €
Blocking-Countries= 250 €

Do you disposed to this extension. It would be very nice?

I know, i am a nag…. :)
Greetings from Germany
heiko

sullrich · Mar 29, 2007, 3:21 PM

No, I am affraid not. We are about to enter beta status as soon as the final Time Based Rules bugs are fixed.

Sorry! Maybe on next version.

heiko · Mar 29, 2007, 9:32 PM

OK, thanks, then we can arrange the port knocking when the timebased rules are finished

JeGr · Apr 5, 2007, 7:52 AM

Don't want to disturb the thread but I'm curious for what you (or people generally) want to use portknocking for and (if that's generally possible doing with pfsense/freebsd/pf) if authpf wouldn't be a better/other approach to the desired result. Coming from the OpenBSD side I used authpf for quite a few thingies, people want portknocking for, so I thought I should maybe throw this in here.

Greets Grey

sullrich · Apr 5, 2007, 5:28 PM

Yes it is possible: http://doorman.sourceforge.net/

sullrich · Apr 7, 2007, 8:13 PM

Looks like doorman will not be a suitable package as it requires a client to do the knocking…. Need to find a package that works with PF and does not require a client.

heiko · Apr 7, 2007, 8:34 PM

i agree with that. The project is on sourceforge not really active, i think?

cmb · Apr 8, 2007, 12:50 AM

Every port knocking daemon is going to require a client. It could be something as simple as a batch file/shell script that telnets to several ports, but they all need a client of some sort. It's no different from OpenVPN, in that it requires a client that we don't provide.

I say start with doorman, if it doesn't work for some technical or compatibility reason, move on to something else.

BuddhaChu · Apr 8, 2007, 2:34 AM

Doorman requires a specific client in that it transmits the knock in one UDP packet on one port and doesn't knock on several ports in certain order (the way most "normal" portknocking setups work).

My point being that Joe Blow just can't grab any old portknocking client…it would need to do the following:

This particular implementation deviates a bit from his original proposal, in that the doorman watches for only a single UDP packet. To get the doorman to open up, the packet must contain an MD5 hash which correctly hashes a shared secret, salted with a 32-bit random number, the identifying user or group-name, and the requested service port-number.

I guess if you enable this package in your pfSense box, you better be prepared to use a specific client.

heiko · Apr 8, 2007, 8:38 AM

Hmm, would it be better if i cancel this bounty and we say "no solution is safe and required a specific client"??
If Portknocking under BSD/pf is not possible or the solution is not safety so i´m doubtful to create a solution for pfsense?!

A portknocking package is nice but not by hook or by crook!!

What do you think Scott? I don´t know? :'(
Greetings
heiko

BuddhaChu · Apr 8, 2007, 11:30 AM

Don't cancel it on account of what I said. :(

sullrich · Apr 8, 2007, 6:24 PM

I think you should not listen to the back seat drivers. Let me keep digging around for a solution. I have been trying to get knockd ported from Linux and am about 60% done.

If you have a 3-4 knock key, ie:

telnet ip 945
telnet ip 5678
telnet ip 1234
telnet ip 4756

Then I don't see how much this will hurt. Besides, what exactly are you planning on exposing once you knock? The webConfigurator or possibly SSH?

heiko · Apr 8, 2007, 7:54 PM

I set the Bounty for the portknocking feature to

1000 €

Greetings
Heiko

DanielSHaischt · Apr 8, 2007, 8:18 PM

Just to document what I've found about port knocking so far:

research paper:
http://www.runtux.com/files/download/portknock.4.pdf

fwknop - promissing but Linux based:
http://www.cipherdyne.org/fwknop/

trapdoor2 - may work out of the box on BSD:
http://oss.linbit.com/trapdoor2/

webknocking - an alternative approach in some kind of an early stage:
http://www.webknocking.de/semaphor.php?item=webknocking_en

Reverse Remote Shell - Very interesting but needs a client:
http://www.cycom.se/dl/rrs

and of course:
http://www.portknocking.org/view/implementations

sullrich · Apr 9, 2007, 12:11 AM

I will continue porting knockd over to FreeBSD. It seems to be the nicest of the bunch.

cmb · Apr 9, 2007, 1:39 AM

From what I can see, knockd appears to just allow you to setup a sequence of ports, and any old connection to those ports will work. Well….while it's widely compatible, it's next to worthless. Unless you change the ports and sequence every time somehow, it's highly insecure. First time you use it on a hot spot, or if someone intercepts your traffic some other way, you're compromised. Granted it wouldn't be the only security measure you would rely upon, but there are much more secure ways of doing this.

doorman is nice in that intercepting the traffic in transit doesn't completely eliminate the security provided. See the quote in BuddhaChu's post above. The only way I can think of to do this securely will require a client like doorman.

yoda715 · Apr 9, 2007, 1:40 AM

From a security standpoint, a port knocking daemon that requires a client is the best option.