You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: README.md
+5-4
Original file line number
Diff line number
Diff line change
@@ -38,19 +38,20 @@ can only be accessed after a successful knock sequence.
38
38
22 to Client.
39
39
40
40
### EXAMPLE WITH ONE TIME PASSWORD AND SRC IP PROTECTION
41
-
Traditional knock approach does not protect the system from MITM attack. If the attacker sniffs the traffic and sends the same packet sequence to knockd, he gains access to the system. To avoid this we can change the port sequence after predefined number of seconds, pretty much like Google Authentcator does. However, even in this case, there is a chance, that attacker sends the same nocks sequence soon after the valid user did and thus will gain access to the system. To completely avoid this MITM threat we have to make a random port sequence dependent not only on time of packets sent, but also on source ip address of the sender. The example below shows the section of knockd config file, that provides exactly this scenario:
41
+
Traditional knock approach does not protect the system from MITM attack. If the attacker sniffs the traffic and sends the same packet sequence to knockd, he gains access to the system. To avoid this we can change the port sequence after predefined number of seconds, pretty much like Google Authentcator does. However, even in this case, there is a chance, that the attacker will send the same knocks sequence soon after the valid user sent it and thus will gain access to the system. To completely avoid this MITM threat we have to make a random port sequence dependent not only on time of the packets sent, but also on source ip address of the sender. The example below shows the section of knockd config file, that provides exactly this scenario:
42
42
43
43
otp = AAgR%XXx30O$#, 45, 20000, on, tcp, udp, tcp
44
44
45
45
in this section
46
46
47
47
- AAgR%XXx30O$# is a seed which is used to generate one time port numbers sequence
48
-
- 45 is otp_change_time. The time in secs of how often we are changing our dynamic port numbers
49
-
- 20000 is a ports range starting point (unsigned short). This is starting point of 256 numbers area used for random port numbers generation. Usually is bigger then 1000. Each port number is generated by an algorythm in the range of 0-255 and then added to this number. So, in this examples port numbers from a range of 20000-20255 will be generated each time.
50
-
- on is ip_protection flag (boolean on/off). It specifies if we need additional ports generated based on mix of the key and sender ip to validate sender. Only in rear cases where the sender can't know for sure it's public IP address or if internet provider has several public IP addresses which are used on round-robin basis for providing internet access to its customers, this flag should be set to off. In these rear cases only time-based port generation might be used, which is less secure, but better than nothing.
48
+
- 45 is otp_change_time. The time in secs of how often we change our dynamic port numbers
49
+
- 20000 is a ports range starting point (unsigned short). This is a starting point of 256 numbers area, used for random port numbers generation. Usually is bigger then 1000. Each port number is generated by an algorythm in the range of 0-255 and then added to this number. So, in this examples a random port numbers within a range of 20000-20255 will be generated each time.
50
+
- on is ip_protection flag (boolean on/off). It specifies if we need additional ports generated based on mix of the key and the sender ip address to validate sender. Only in rear cases where the sender can't know for sure it's public IP address or if internet provider has several public IP addresses which are used on round-robin basis for providing internet access to its customers, this flag should be set to off. In these rear cases only time-based port generation might be used, which is less secure, but better than nothing.
51
51
- tcp, udp, tcp - protocol sequence. These are the protocols used for every generated port sequence. The number of protocol names defines the number of port numbers derived from the seed. If ip_protection flag is set to on, additional random port numbers are generated based on src ip of a sender. The number and types of these additional ports are the same as the primary ones. In this examples 3 additional port numbers will be generated resulting in total 6 port numbers seqence of these protocols: tcp, udp, tcp, tcp, udp, tcp
52
52
53
53
A simple bash script knockd.sh is included as a knocking client to illustrate the whole processs
54
+
To build knockd openssl should be installed. Usually "-lssl -lm" linker options is enough to build knockd
0 commit comments