I have set up port knock as instructed on a support page I found. the only down side is that I must leave the ip on the knock_1 and knock_2 address lists for about 60 seconds each (using a PS script to do the PINGing).
So hitting port 1234 adds 1.2.3.4 to knock_1 .
hitting port 2345, if 1.2.3.4 exists on list knock_1, it gets added to list knock_2.
hitting port 3456, if 1.2.3.4 exists on list knock_2, it gets added to list approved_ip .
Since I must leave 1.2.3.4 on lists knock_1 and _2 for some period of time (in my case 30 seconds) then it’s possible that someone comes along and hits all ports within 30 seconds and opens the door.
Is there a way to create a set of rules to do this:
hitting port 1234 adds 1.2.3.4 to knock_1 .
hitting port 2345, if 1.2.3.4 exists on list knock_1, it gets added to list knock_2 AND IMMEDIATELY REMOVED FROM KNOCK_1.
hitting port 3456, if 1.2.3.4 exists on list knock_2, it gets added to list approved_ip AND IMMEDIATELY REMOVED FROM KNOCK_2.
this needs to be simple. People coming are are coming from various platforms, not just Windows. And I can’t expect them to be installing vpn or other clients.
I want to have a simple method to keep the ports closed unless it’s someone that should have access. Port knock is simple and largely (but not perfectly) effective. It’ll discourage the bad guys enough that they’ll go fishing somewhere else.
With port knock, I can use a little .bat script to call powershell test-connection, which allows you to specify the port number to be pinged. You can also use Telnet to hit the three ports in succession.
If your using a script that runs quickly to do port knock, then the timeout don’t have to be so long (e.g. 30s). If you lowered that you’d reduce the window.
But there is no “remove from address-list” firewall action, so you’re up against that. And there is no action=script in firewall either to do the remove. Nor, can you poll the address-list from a scheduler script, since there still be a delay and time be off.
People might have come up other schemes, but AFAIK the address-list one is the simplest. I’d lower the timeout in address-list.
Additionally: port scanners most often probe ports sequentially (often from low ports towards higher), but you can require port knock sequence to follow some random pattern. Also possible is to mix different L4 protocols (TCP, UDP, ICMP), but feasibility depends on client software (if it’s able to use different L4 protocols). All of this makes probability for port scanner to accidentally open the port pretty slim.
test-connection takes about 15 seconds to time out on each ping, and there’s no way to control that. So I set the timeout to 30 to leave a little wiggle room.
I think the port 22 honey trap will stop most of these chuckleheads, and the port knock for the rest will be icing on the cake.
I think I will change the sequence of ports before my customers get too far down the road with this one.
You don’t have to wait for the test connection to time out (unless whatever you are using to generate the knock is too stupid). I have some port knocks in use that are all TCP and I have bookmarks in my web browser to activate them. I select the first knock, wait all of a second or so and stop the attempt, then select the second. Repeat for how ever many steps they are (up to six in my case). As mentioned, use very random ports for the knocks. One other thing I am doing is that I have two ISPs so some steps have to come in via the fiber and some steps have to come in via the cable. So for example, one of my knocks is something like this (not the actual port numbers):
Step 1 - port 54823 via the cable
Step 2 - port 26481 via the fiber
Step 3 - port 64249 via the fiber
Step 4 - port 34972 via the cable
If you get through that, the family room computer will get sent WOL packets - so not a high security requirement. For things that want more security, there are more difficult things.