Documentation

This file describes the current Perl implementation, requirements and installation steps. Please contact me if you cannot get the sripts to run.

readme

################################################################
#
# $Id: README,v 1.8 2004/07/05 22:10:03 martink Exp $
#
# Copyright 2002-2004 Martin Krzywinski (martink@bcgsc.ca)
#
# This file is part of a Perl port knocking implementation.
#
# This port knocking implementation is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This port knocking implementation is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Clusterpunch; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
################################################################

PORT KNOCKING

Prototype Perl Implementation v0.30

To access the man pages,

  knockclient -man
  knockdaemon -man

################################################################

0. REQUIREMENTS

0a. Perl

In order to run this Perl implementation, you will require Perl v5.005+
and the following modules, available from CPAN (www.cpan.org)

Config::General;
File::Tail;
Crypt::CBC;
Crypt::Blowfish (or another Crypt::XXX module, depending on your choice
                 of encryption)
Math::VecStat;
Net::Pcap
NetPacket
Pod::Usage;
Schedule::At;
Storable

                                    ------

0b. Firewall

You can use any firewall whose rules can be dynamically modified using
system binaries.

If you use the daemon in file mode, you will need a firewall log file 
that can be monitored by the server. The format of the pertinent parts
of the log file line is defined in  in knockdaemon.conf.

                                    ------

0c. Ports

You will need to close 2^N ports, not necessarily contiguous (e.g. 600-699,800-898,
900,968-1023). I suggest keeping N as large as possible (e.g. 15) and 
definitely no smaller than 8. A large N will keep your knocks short.

Make sure the ports are set to DENY (or DROP in iptables) to keep your system stealthy.

Some sample port spans are

  portspan = 600-699,800-898,900,968-1023 (256)
  portspan = 500-4595 (4096)
  portspan = 1024-5000,6000-25000,26000-35789 (32768)

If you use the daemon in file mode, you need to turn on logging 
of all connection attempts to these ports. For ipchains, this is done using

/sbin/ipchains -I input -p tcp -s $REMOTENET -d $FIREWALL 745:1000 -j DENY -l

For iptables, use the LOG chain. Whenever someone connects to any of these ports
you will see corresponding entries in your firewall log file.

                                    ------

0d. Customizing

Read the comments in the knockclient.conf and knockdaemon.conf files to learn 
how to customize their behaviour. Make sure that the appropriate settings are
synchronized in these files. For example, if you're using encryption you must
have the same key, cipher and IV setting.

                                    ------

0d. References

Background information, usage tips and the latest distribution of the port knocking Perl 
implementation can be found at

  http://www.portknocking.org

Documentation in man/html/txt format is included in the archive in doc/. You can access
documentation for knockclient and knockdaemon using

  knockclient -man
  knockdaemon -man

The original publication of Port Knocking is

Krzywinski, M. 2003. Port Knocking: Network Authentication Across Closed Ports. SysAdmin Magazine 12: 12-17.