seqknock-common

Crates.ioseqknock-common
lib.rsseqknock-common
version0.1.0
sourcesrc
created_at2023-02-25 11:49:38.747462
updated_at2023-02-25 11:49:38.747462
descriptionTCP Sequence number-based knocking; common sources
homepagehttps://git.sr.ht/~upto/seqknock/
repositoryhttps://git.sr.ht/~upto/seqknock/
max_upload_size
id794294
size20,486
Jonas Eriksson (zqad)

documentation

README

NAME

seqknock - Use TCP sequence numbers to provide an in-band, hard-to-detect method of stream authentication, much like port knocking.

DESCRIPTION

Inspired by SilentKnock[1], seqknock will install firewall rules for configured ports that only allow TCP packets with a given sequence number through the local firewall. Whenever a valid sequence number is observed, it's invalidated for further authentication, and the observed stream is allowed through using connection tracking.

Unlike SilentKnock, the algorithm is time-based much like a standard TOTP, including the default period of 30s. This design decision was taken to simplify the implementation into the firewall, as it has a limited need for reactiveness unlike the SilentKnock algorithm.

The upsides from port knocking are that no additional ports needs to be opened in addition to the service port. It also relies fully on the local firewall, which ought to be a hardened piece of software. Finally, the packets are to a large degree indistinguishable from "normal" traffic.

The reference implementation of the MAC-based sequence number generator is available in the seqknock-common directory of the sources.

USAGE

For a server implementation, see seqknock-nftables. For a client implementation, see seqknock-proxycmd.

LIMITATIONS

Limited connection rate. With the default setting of 30s periods, users need to wait for a new sequence number to be rotated in before being able to reconnect. This can be alleviated by lowering the period, or allowing for overlapping periods by setting the tolerance to a multiple of the period (combined with the --fudge-time argument to seqknock-proxycmd. For specific clients, such as OpenSSH, Control Sockets can be used. Make sure to read up on any security considerations beforehand. Finally, contention between multiple users can be solved by employing per-user PSKs.

Only Linux supported for client/server. This implementation relies heavily on Linux-only features, such as nftables on the server side, and the TCP_REPAIR option for sockets on the client side. Server support may be extended to other platform by just adding an abstraction for other firewall technologies, but client support will be trickier to implement.

Need for root on the client side. Sadly, there is no other option to using TCP_REPAIR than run with the CAP_NET_ADMIN capability. Options include having a service handing out pre-"repaired" sockets over Unix Domain Sockets, but it's clunkier.

The role of port knocking (and by relation sequence knocking) in a security context is contended. With the correct scope, it can be useful such as providing a low-entry (compared to e.g. IPsec) way of hiding services from port scanning utilities and services. It should not be relied upon as a method of authentication, but rather to provide a layer of obscurity on top of an already secured protocol, such as SSH or TLS.

AUTHOR

Jonas Eriksson

HOMEPAGE

https://git.sr.ht/~upto/seqknock/

REFERENCES

[1] [https://www-users.cse.umn.edu/~hoppernj/silentknock_esorics.pdf]

Commit count: 0

cargo fmt