Crates.io | seqknock-common |
lib.rs | seqknock-common |
version | 0.1.0 |
source | src |
created_at | 2023-02-25 11:49:38.747462 |
updated_at | 2023-02-25 11:49:38.747462 |
description | TCP Sequence number-based knocking; common sources |
homepage | https://git.sr.ht/~upto/seqknock/ |
repository | https://git.sr.ht/~upto/seqknock/ |
max_upload_size | |
id | 794294 |
size | 20,486 |
seqknock - Use TCP sequence numbers to provide an in-band, hard-to-detect method of stream authentication, much like port knocking.
Inspired by SilentKnock[1], seqknock will install firewall rules for configured ports that only allow TCP packets with a given sequence number through the local firewall. Whenever a valid sequence number is observed, it's invalidated for further authentication, and the observed stream is allowed through using connection tracking.
Unlike SilentKnock, the algorithm is time-based much like a standard TOTP, including the default period of 30s. This design decision was taken to simplify the implementation into the firewall, as it has a limited need for reactiveness unlike the SilentKnock algorithm.
The upsides from port knocking are that no additional ports needs to be opened in addition to the service port. It also relies fully on the local firewall, which ought to be a hardened piece of software. Finally, the packets are to a large degree indistinguishable from "normal" traffic.
The reference implementation of the MAC-based sequence number generator is available in the seqknock-common directory of the sources.
For a server implementation, see seqknock-nftables. For a client implementation, see seqknock-proxycmd.
Limited connection rate. With the default setting of 30s periods, users need to
wait for a new sequence number to be rotated in before being able to reconnect.
This can be alleviated by lowering the period, or allowing for overlapping
periods by setting the tolerance to a multiple of the period (combined with the
--fudge-time
argument to seqknock-proxycmd. For specific clients, such as
OpenSSH, Control Sockets can be used. Make sure to read up on any security
considerations beforehand. Finally, contention between multiple users can be
solved by employing per-user PSKs.
Only Linux supported for client/server. This implementation relies heavily on
Linux-only features, such as nftables on the server side, and the TCP_REPAIR
option for sockets on the client side. Server support may be extended to other
platform by just adding an abstraction for other firewall technologies, but
client support will be trickier to implement.
Need for root on the client side. Sadly, there is no other option to using
TCP_REPAIR
than run with the CAP_NET_ADMIN
capability. Options include
having a service handing out pre-"repaired" sockets over Unix Domain Sockets,
but it's clunkier.
The role of port knocking (and by relation sequence knocking) in a security context is contended. With the correct scope, it can be useful such as providing a low-entry (compared to e.g. IPsec) way of hiding services from port scanning utilities and services. It should not be relied upon as a method of authentication, but rather to provide a layer of obscurity on top of an already secured protocol, such as SSH or TLS.
Jonas Eriksson
https://git.sr.ht/~upto/seqknock/
[1] [https://www-users.cse.umn.edu/~hoppernj/silentknock_esorics.pdf]