The Shell in the Ghost
I recently came across an incredible concept and implementation by Michael Rash. It’s called fwknop which stands for Fire Wall KNock OPerator, wait though, don’t stop reading yet!!
Before you close the browser in utter disgust at me suggesting port-knocking in 2017, this isn’t just port knocking, in fact it’s a shame it’s even called that as it leads to confusion with certain people mistaking it for security-thru-obscurity
Allow me to paraphrase/describe what the concept is here
- All ports on the server are set to default DENY
- The fwknop daemon (fwknopd) will sit behind a udp port (defaults to udp/62201) and sniff the dropped packets
- It is looking for a SPA (Single-Packet-Auth) from the client in the form of either a HMAC’d or GPG signed value of
source_IP + port_to_open(source is included to prevent replay attacks in the event of a packet capture) - If the fwknopd finds a valid signed packet it will then open the requested port e.g. tcp/22 for ssh temporarily for only that source IP address.
- A neat piece to this is the addition of the IPTABLES rule
iptables -I INPUT 1 -i eth0 -p tcp -m conntrack \ --ctstate ESTABLISHED,RELATED -j ACCEPTso that established sessions will remain even after the temporary rule issued by fwknop has expired
- A neat piece to this is the addition of the IPTABLES rule
- The client can then connect via ssh (no excuse for anything less than key based!!) as they would normally
The crux to this is leveraging the fact that UDP packets don’t require a handshake, and also that fwknopd is sniffing instead of filtering packets hence there is little opportunity for side channel attacks
For any attacker scanning this box it essentially doesn’t have any ports open. Coupled with the cryptography aspect to SPA, it wouldn’t be a good use of an attacker’s time to try brute force or even perform any level of reconaisance, as they just don’t get any feedback from the box. I think this could be a great addition to hardening a cloud bastion, see my previous post for details on that setup in Google Cloud Platform
Makes me wonder how many of these “stealth-bastions” live out there 🤔
Go find some and tell me about how you did it!!