SPA(Single Packet Authorization) and port knocking are technologies with the same goal: hide Internet services. In most cases they are used to conceal remote management services such as SSH and RDP.
Both technologies have a common principle: you send specially created packet or packets to a host and host opens defined port or ports on its firewall. The main distinction between these two technologies consists of type of packets. In SPA technology you send an encrypted packet with information what to open. And in Port Knocking technology you send just empty packets with specific destination ports(you may use both TCP and UDP protocols) in particular order, server analyses the incoming traffic, recognises these packets and sends command to the firewall to open access for your IP address.
The great advantage of both technologies that they do not open any services during listening, they just sniff the traffic.
There are 2 main drawbacks of Port Knocking. Firstly, there is no encryption. Sequence of packets can be sniffed. Secondly, it is not very reliable. Quite often some of packets are lost and you have to resend the whole sequence several times.
Example of port knocking configuration
In the capacity of port knocking daemon I used knockd
You can install it from standard Ubuntu repositories. Here is the example of main configuration file
/etc/knockd.conf:
[SSH]
sequence = 26515:tcp,8924:tcp,58666:tcp,32342:tcp,5427:tcp
seq_timeout = 15
start_command = /sbin/iptables -A INPUT -s %IP% -p tcp --syn --dport 22222 -j ACCEPT
cmd_timeout = 60
stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --syn --dport 22222 -j ACCEPT
[Osiris]
sequence = 9674:tcp,54190:tcp,25668:tcp,19684:tcp,35056:tcp
seq_timeout = 15
start_command = /conf/ssh %IP%
cmd_timeout = 60
stop_command = /conf/ssh_del
As you can see in the second section there are no iptables commands. This is because this section is for windows server. I didn't find appropriate knock daemon for windows that's why I had to create such workaround. User knocks to Linux server and subsequently Linux server sends firewall commands to Windows server via SSH. Here is the contents of ssh script:
/usr/bin/ssh -i /conf/id_rsa -l user 212.176.29.163 ipfw add 1000 allow tcp from $1 to me 3389 in setup
As you can see, ipfw for Windows is installed :) Very complicated scheme.
Example of SPA configuration based on passwords
A Comprehensive Guide to Strong Service Hardening with fwknop
Here we use fwknop-server. It is also available in Ubuntu repositories. Main configuration file /etc/fwknop/access.conf:
SOURCE: ANY;
OPEN_PORTS: tcp/22
KEY: secret;
FW_ACCESS_TIMEOUT: 30;
SOURCE: ANY;
ENABLE_EXTERNAL_CMDS Y;
KEY: key;
EXTERNAL_CMD_OPEN /conf/ssh $SRC;
EXTERNAL_CMD_CLOSE /conf/ssh_del;
FW_ACCESS_TIMEOUT: 30;
Here everything is pretty simple. The second Source section again describes workaround for windows server with outward commands. Instead of knock sequences KEYs are used.
To send SPA packet we use fwknop client:
fwknop -D 192.168.1.1 -A tcp/22 -s 10.10.0.1
To send SPA packet we use fwknop client:
fwknop -D 192.168.1.1 -A tcp/22 -s 10.10.0.1
