Knock, knock. Who’s there?
Reading about port knocking can be as clear as diving headfirst into a bog whilst wearing a snorkel. Some people love it, but for most of us, it tends to cause a long moment whilst we digest what we’re reading followed by an urge to go and do absolutely anything else.
This article will attempt to explain to the average person exactly what SSH knocking is, what it’s used for, how its misused and whether you really need to worry about it.
SSH is defined as:
“A cryptographic network protocol for secure data communication, remote command-line login, remote command execution, and other secure network services between two networked computers.”
Which basically means that it’s a component of most modern operating systems, which allows computers to communicate across the Internet without a third party interfering.
It manages this by encrypting communication, between the computers and facilitating a secure exchange of information, but sadly it’s not that simple because of a multitude of faceless hackers.
Whenever a remote computer tries to connect to another computer it does this via ports. A port is kind of like a door in that the remote computer sends a data packet to it as a knock, and the port responds in a similar fashion to someone opening a door to a knock, and engaging in a conversation or dialogue with the person knocking.
Incidentally, this is where your computer firewall comes into play, blocking a specific port is very similar to barring your door. Without the firewall closing the port then the protocol for the computer, as with most householders, is to answer the knock.
Now, if you didn’t want to answer the door to just anyone you could give them a secret knock sequence; the kind of thing that features largely in spy films. So when you hear that specific sequence of knocks you know it’s okay to open the door.
This could get chaotic if you had a lot of traffic to that door or computer port, especially if you had a legitimate person knocking and two or three third parties, or hackers also knocking. You’d certainly never be able to tell the difference, and even worse the unwanted visitors could listen to the secret knock and fool you into opening the door!
Fortunately operating systems have thousands of ports and the various systems knocking on them are normally invisible to each other.
Here is where SSH Port Knocking becomes useful.
When the remote server wants to gain entry legitimately to a closed port it knocks on several of the other ports in a specific sequence causing the gatekeeper program or ‘daemon’ of the remote system (if pre-programmed to do so by the system admin) to open the firewall.
Using our house analogy, it would be similar to having several doors, the caller still has to perform his specific knock, but only on selected doors.
Each system seeking access is also invisible to the others unless someone is using what’s called a ‘Packet Sniffer.’
A packet sniffer is like an old fashioned phone trace, or an eavesdropper hiding in the bushes. It can see the network traffic and so, theoretically, it could capture the right sequence of knocks and also see what port has opened to allow access, and then copy that illegitimately.
This eavesdropping is defeated by the use of cryptography and blacklists which would change the knock based upon a unique hashkey known only to the two systems.
The hashkey is a way of changing the knock sequence to a code that only the systems with that hashkey can interpret.
So the secret knock becomes a secret knock in a secret language known only to the two systems which could change depending on the time of day.
Port knocking can be used for other things as well as opening a port. A specific sequence could cause the listening program, the ‘daemon’, to perform a function or run a program upon the remote system.
There are a number of programs available for Linux and Windows systems that implement this function, and whilst port knocking hasn’t been widely implemented in the mainstream community it is a staple of the hacking community and has been for a long time.
It is often found in rootkits, which are stealth programs which hide on a remote system and allow a hacker to access it without detection from the legitimate users or detection programs.
Ultimately SSH Knocking is an invisible function performed by specialist software, and chances are if you need it then you already know about it, or have a specialist who knows about it.
For the average user, all you need to do is make sure that your firewall is up to date and configured properly.