Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Portknocking-Daemon-GUI or Package –> {CANCELED}

    Scheduled Pinned Locked Moved Expired/Withdrawn Bounties
    42 Posts 9 Posters 26.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sullrich
      last edited by

      No, I am affraid not.  We are about to enter beta status as soon as the final Time Based Rules bugs are fixed.

      Sorry!  Maybe on next version.

      1 Reply Last reply Reply Quote 0
      • H
        heiko
        last edited by

        OK, thanks, then we can arrange the port knocking when the timebased rules are finished

        1 Reply Last reply Reply Quote 0
        • JeGrJ
          JeGr LAYER 8 Moderator
          last edited by

          Don't want to disturb the thread but I'm curious for what you (or people generally) want to use portknocking for and (if that's generally possible doing with pfsense/freebsd/pf) if authpf wouldn't be a better/other approach to the desired result. Coming from the OpenBSD side I used authpf for quite a few thingies, people want portknocking for, so I thought I should maybe throw this in here.

          Greets Grey

          Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

          1 Reply Last reply Reply Quote 0
          • S
            sullrich
            last edited by

            Yes it is possible: http://doorman.sourceforge.net/

            1 Reply Last reply Reply Quote 0
            • S
              sullrich
              last edited by

              Looks like doorman will not be a suitable package as it requires a client to do the knocking….  Need to find a package that works with PF and does not require a client.

              1 Reply Last reply Reply Quote 0
              • H
                heiko
                last edited by

                i agree with that. The project is on sourceforge not really active, i think?

                1 Reply Last reply Reply Quote 0
                • C
                  cmb
                  last edited by

                  Every port knocking daemon is going to require a client. It could be something as simple as a batch file/shell script that telnets to several ports, but they all need a client of some sort. It's no different from OpenVPN, in that it requires a client that we don't provide.

                  I say start with doorman, if it doesn't work for some technical or compatibility reason, move on to something else.

                  1 Reply Last reply Reply Quote 0
                  • B
                    BuddhaChu
                    last edited by

                    Doorman requires a specific client in that it transmits the knock in one UDP packet on one port and doesn't knock on several ports in certain order (the way most "normal" portknocking setups work).

                    My point being that Joe Blow just can't grab any old portknocking client…it would need to do the following:

                    This particular implementation deviates a bit from his original proposal, in that the doorman watches for only a single UDP packet.  To get the doorman to open up, the packet must contain an MD5 hash which correctly hashes a shared secret, salted with a 32-bit random number, the identifying user or group-name, and the requested service port-number.

                    I guess if you enable this package in your pfSense box, you better be prepared to use a specific client.

                    1 Reply Last reply Reply Quote 0
                    • H
                      heiko
                      last edited by

                      Hmm, would it be better if i cancel this bounty and we say "no solution is safe and required a specific client"??
                      If Portknocking under BSD/pf is not possible or the solution is not safety so i´m doubtful to create a solution for pfsense?!

                      A portknocking package is nice but not by hook or by crook!!

                      What do you think Scott? I don´t know? :'(
                      Greetings
                      heiko

                      1 Reply Last reply Reply Quote 0
                      • B
                        BuddhaChu
                        last edited by

                        Don't cancel it on account of what I said.  :(

                        1 Reply Last reply Reply Quote 0
                        • S
                          sullrich
                          last edited by

                          I think you should not listen to the back seat drivers.  Let me keep digging around for a solution.  I have been trying to get knockd ported from Linux and am about 60% done.

                          If you have a 3-4 knock key, ie:

                          telnet ip 945
                          telnet ip 5678
                          telnet ip 1234
                          telnet ip 4756

                          Then I don't see how much this will hurt.  Besides, what exactly are you planning on exposing once you knock?  The webConfigurator or possibly SSH?

                          1 Reply Last reply Reply Quote 0
                          • H
                            heiko
                            last edited by

                            I set the Bounty for the portknocking feature to

                            1000 €

                            Greetings
                            Heiko

                            1 Reply Last reply Reply Quote 0
                            • D
                              DanielSHaischt
                              last edited by

                              Just to document what I've found about port knocking so far:

                              research paper:
                              http://www.runtux.com/files/download/portknock.4.pdf

                              fwknop - promissing but Linux based:
                              http://www.cipherdyne.org/fwknop/

                              trapdoor2 - may work out of the box on BSD:
                              http://oss.linbit.com/trapdoor2/

                              webknocking - an alternative approach in some kind of an early stage:
                              http://www.webknocking.de/semaphor.php?item=webknocking_en

                              Reverse Remote Shell - Very interesting but needs a client:
                              http://www.cycom.se/dl/rrs

                              and of course:
                              http://www.portknocking.org/view/implementations

                              Mit freundlichen Gruessen / With kind regards
                              DAn.I.El S. Haischt

                              1 Reply Last reply Reply Quote 0
                              • S
                                sullrich
                                last edited by

                                I will continue porting knockd over to FreeBSD.  It seems to be the nicest of the bunch.

                                1 Reply Last reply Reply Quote 0
                                • C
                                  cmb
                                  last edited by

                                  From what I can see, knockd appears to just allow you to setup a sequence of ports, and any old connection to those ports will work. Well….while it's widely compatible, it's next to worthless. Unless you change the ports and sequence every time somehow, it's highly insecure. First time you use it on a hot spot, or if someone intercepts your traffic some other way, you're compromised. Granted it wouldn't be the only security measure you would rely upon, but there are much more secure ways of doing this.

                                  doorman is nice in that intercepting the traffic in transit doesn't completely eliminate the security provided. See the quote in BuddhaChu's post above. The only way I can think of to do this securely will require a client like doorman.

                                  1 Reply Last reply Reply Quote 0
                                  • Y
                                    yoda715
                                    last edited by

                                    From a security standpoint, a port knocking daemon that requires a client is the best option.

                                    1 Reply Last reply Reply Quote 0
                                    • H
                                      heiko
                                      last edited by

                                      Hello,

                                      my statement to this discussion:

                                      the knockd daemon runs passively listening to network traffic without opening any network ports. Even though it is practically impossible to an attacker to see that we are running knockd on the server, and try to guess the knock sequences we have configured.

                                      Some general common sense security rules for the knockd, so "Scott"  - this must be implemented as default settings in the gui:

                                      • NEVER use default sequences. I have included in my example for this reason the default 7000,8000,9000 sequence to not create another default pattern. Choose your own port sequences.

                                      • Use at least 3 ports in the sequence. If you are paranoic you can use as many ports as you like.

                                      • Mix tcp ports (default, if you do not specify the protocol) with udp ports: 9000:tcp,8000:udp,7000:tcp

                                      Even if someone might hit by mistake the configured sequences try to prevent any damage: choose proper timeouts for running the command, use strong passwords as default (required in the GUI), etc.

                                      So i think knockd is the first option for me. ;D

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        sullrich
                                        last edited by

                                        @heiko:

                                        So i think knockd is the first option for me. ;D

                                        Sonuds good.  I will keep porting it but will not have time to work on it again until tomorrow or Wed as we are about to release 1.2-BETA-1.

                                        1 Reply Last reply Reply Quote 0
                                        • H
                                          heiko
                                          last edited by

                                          No problem, good work!

                                          1 Reply Last reply Reply Quote 0
                                          • C
                                            cmb
                                            last edited by

                                            Heiko, I know you want something that doesn't require a client, but that's the only way to do this securely. It doesn't really matter how many ports you use, how random they are, and whether you mix TCP and UDP, knockd is still insecure. Anyone that can intercept your traffic can bypass it, and you never know who's intercepting your traffic.

                                            doorman seems to have a client available for pretty much any OS, and is a secure way to accomplish the same thing. I encourage you to strongly consider doorman over knockd.

                                            From an email conversation - neither Scott nor I would use knockd ourselves, but we'd be comfortable using doorman, if that tells you anything. :) But Scott is willing to implement either one to satisfy your bounty.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.