Lib.rs

Network programming
#numbers #sequence #firewall #tcp #source #rules #knocking

seqknock-common

TCP Sequence number-based knocking; common sources

Owned by Jonas Eriksson.

1 unstable release

0.1.0 Feb 25, 2023

#29 in #firewall

22 downloads per month
Used in 2 crates

GPL-2.0 OR Apache-2.0

21KB
330 lines

NAME

seqknock - Use TCP sequence numbers to provide an in-band, hard-to-detect method of stream authentication, much like port knocking.

DESCRIPTION

Inspired by SilentKnock[1], seqknock will install firewall rules for configured ports that only allow TCP packets with a given sequence number through the local firewall. Whenever a valid sequence number is observed, it's invalidated for further authentication, and the observed stream is allowed through using connection tracking.

Unlike SilentKnock, the algorithm is time-based much like a standard TOTP, including the default period of 30s. This design decision was taken to simplify the implementation into the firewall, as it has a limited need for reactiveness unlike the SilentKnock algorithm.

The upsides from port knocking are that no additional ports needs to be opened in addition to the service port. It also relies fully on the local firewall, which ought to be a hardened piece of software. Finally, the packets are to a large degree indistinguishable from "normal" traffic.

The reference implementation of the MAC-based sequence number generator is available in the seqknock-common directory of the sources.

USAGE

For a server implementation, see seqknock-nftables. For a client implementation, see seqknock-proxycmd.

LIMITATIONS

Limited connection rate. With the default setting of 30s periods, users need to wait for a new sequence number to be rotated in before being able to reconnect. This can be alleviated by lowering the period, or allowing for overlapping periods by setting the tolerance to a multiple of the period (combined with the --fudge-time argument to seqknock-proxycmd. For specific clients, such as OpenSSH, Control Sockets can be used. Make sure to read up on any security considerations beforehand. Finally, contention between multiple users can be solved by employing per-user PSKs.

Only Linux supported for client/server. This implementation relies heavily on Linux-only features, such as nftables on the server side, and the TCP_REPAIR option for sockets on the client side. Server support may be extended to other platform by just adding an abstraction for other firewall technologies, but client support will be trickier to implement.

Need for root on the client side. Sadly, there is no other option to using TCP_REPAIR than run with the CAP_NET_ADMIN capability. Options include having a service handing out pre-"repaired" sockets over Unix Domain Sockets, but it's clunkier.

The role of port knocking (and by relation sequence knocking) in a security context is contended. With the correct scope, it can be useful such as providing a low-entry (compared to e.g. IPsec) way of hiding services from port scanning utilities and services. It should not be relied upon as a method of authentication, but rather to provide a layer of obscurity on top of an already secured protocol, such as SSH or TLS.

AUTHOR

Jonas Eriksson

HOMEPAGE

https://git.sr.ht/~upto/seqknock/

REFERENCES

[1] https://www-users.cse.umn.edu/~hoppernj/silentknock_esorics.pdf

Dependencies

~2–12MB
~118K SLoC