Ipt_pkd is software that adds a port knock detection feature to iptables.
Ipt_pkd is an extension of iptables that offers port knock detection features. It is comprised of three elements: the kernel module ipt_pkd, the iptables user space module libipt_pkd.so, and a user space client knock program. Knock packets are generated using a UDP packet containing a SHA-256 of a timestamp, a small header, random bytes, and a shared key sent to a random port. The package is checked using ipt_pkd to verify the time window of the packet and verify its SHA-256. The shared key is never sent.
For instance, in protecting ssh (port 22), iptables are used to apply the following rules:
iptables -A INPUT -p udp -m pkd --key test -m recent --set --name PKD
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --rcheck --name PKD --seconds 60 --hitcount 1 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j DROP
These ruling will discard any new SSH connection attempts made unless a valid knock packet has been seen for the incoming client IP within the last 60 seconds. The hitcount can control how many times you have to knock; however, in the rules above, you would change the '--set' to '--update' instead; if not, the hitcount would not surpass 1.
To examine how long a session should be, you can set a drop on all packets to '--dport 22' and customize the '--seconds' to cover the session length. The installation requires kernel headers for the kernel module, iptables-dev, and libssl-dev for knock, as it uses the SHA256 library from openssl. You can run the make; make install command as root after all needed dependencies have been installed.
The client knock program presents itself in two forms, knock.c and knock.py. The knock.c version acquires the host from the command line and seeks a password. The knock.py version reads its data from an ini file (default ~/.ipt_pkd.ini), which is incorporated in the distribution's package.
The libipt_pkd.so is then installed in /lib/iptables, so if the iptables modules are in a different directory, you must move them. However, the kernel module uses the kernel installer, so it is unclear where it will be installed. Sometimes depmod -a must be manually run afterward if an "iptables: No chain/target/match by that name" error occurs. Likewise, knock does not have a specific installation directory; hence, it can be put anywhere. After packaging, it is believed that it'll end up in /usr/bin or /usr/local/bin.
The Makefile's IPT_VERS may need to be manually set, as running /sbin/iptables -V might fail if it's on a different system path. Also, it's unclear which iptables version it is compatible with. The software has been successfully tested on multiple machines with various operating system versions, including VMWare client 32 bit running Ubuntu Fiesty 2.6.20-16 kernel and iptables 1.3.6, x86 32bit running Debian unstable 2.6.22-686 kernel and iptables 1.3.8, x86_64 64bit running Sidux
For instance, in protecting ssh (port 22), iptables are used to apply the following rules:
iptables -A INPUT -p udp -m pkd --key test -m recent --set --name PKD
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --rcheck --name PKD --seconds 60 --hitcount 1 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j DROP
These ruling will discard any new SSH connection attempts made unless a valid knock packet has been seen for the incoming client IP within the last 60 seconds. The hitcount can control how many times you have to knock; however, in the rules above, you would change the '--set' to '--update' instead; if not, the hitcount would not surpass 1.
To examine how long a session should be, you can set a drop on all packets to '--dport 22' and customize the '--seconds' to cover the session length. The installation requires kernel headers for the kernel module, iptables-dev, and libssl-dev for knock, as it uses the SHA256 library from openssl. You can run the make; make install command as root after all needed dependencies have been installed.
The client knock program presents itself in two forms, knock.c and knock.py. The knock.c version acquires the host from the command line and seeks a password. The knock.py version reads its data from an ini file (default ~/.ipt_pkd.ini), which is incorporated in the distribution's package.
The libipt_pkd.so is then installed in /lib/iptables, so if the iptables modules are in a different directory, you must move them. However, the kernel module uses the kernel installer, so it is unclear where it will be installed. Sometimes depmod -a must be manually run afterward if an "iptables: No chain/target/match by that name" error occurs. Likewise, knock does not have a specific installation directory; hence, it can be put anywhere. After packaging, it is believed that it'll end up in /usr/bin or /usr/local/bin.
The Makefile's IPT_VERS may need to be manually set, as running /sbin/iptables -V might fail if it's on a different system path. Also, it's unclear which iptables version it is compatible with. The software has been successfully tested on multiple machines with various operating system versions, including VMWare client 32 bit running Ubuntu Fiesty 2.6.20-16 kernel and iptables 1.3.6, x86 32bit running Debian unstable 2.6.22-686 kernel and iptables 1.3.8, x86_64 64bit running Sidux
What's New
Version 1.4: N/A