Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports.
Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s)."
These systems provide an additionnal layer of security to a system
(namely security through obscurity), but are known to have a critical flaw : static sequences.
For instance, packet sniffing could be used by an attacker to discover the port knock sequences, and therefore get unauthorized access to the server.
This open-source system, written in Python 3,
is an attempt to solve this issue by dynamically defining new ports sequences.
Those sequences are random, and are transmitted via a third-party service: Telegram.
Using Telegram has some nice advantages, notably per-user and per-group rights management, which are handy for managing the server in an organization.
While there is always room for improvement, the system is in a stable version, and can be used in a production environment.To use the server, you will first need to get a Telegram bot. It's free and very easy !
Next, modify the file Server/pks/config.py to fit your needs.
Next, follow this tutorial (also available in the docstring of the file Server/setup.py) and configure your server by following along the first part (IPTables).
Note: be careful when modifying your iptables, especially if you're connected via SSH.
When installing iptables-persistent, the service is automatically launched, but you need to configure the saved rules with the command
cd ~ && touch rules.v4 && sudo iptables-save >> rules.v4 && sudo mv rules.v4 /etc/iptables/
Next, update your packages with sudo apt-get update (modify to fit your distro) and put the server files in a local public directory (such as /var/app/) and launch sudo python3 setup.py.
Finally, you want to launch the server as a daemon, by opening the root crontab
sudo crontab -e
and adding the line
@reboot sudo screen -AmdS pks python3 /var/app/run_server.py
Reboot, test, and you're good to go !
To manage the PKS server instance, use the command screen. First, modify the file Client/pksclient/config.py to fit your needs.
Next, you need to install the python requirements listed in Client/requirements.txt.
To do so, launch the command
pip install -r requirements.txt
And you're good to go !
The workflow for the client is :
- Configure the PKS client.
- Connect to Telegram, and send `/help` to the bot configured in the server part.
- The list of available commands will appear.
- Send `/generate` to the bot, it will answer a series of ports.
- Prepare your SSH shell (or such), then launch the PKS client, enter the three ports, and press enter. You will then have about 30 seconds to initiate connection. The port will close automatically after this delay.