Fwknopd, written by Michael Rash, over at Cipherdyne (http://www.cipherdyne.org/fwknop/) is a port knocking daemon that uses a single encrypted packet, rather than a port knocking sequence.

I've put together a Luci interface for openwrt, and it's now in trunk. luci-app-fwknopd is ready for use. It will take a couple days for the packages to get built by the buildbots, but it can be compiled now.

If the fwknop client is installed as well as the luci app, keys are autogenned on the first reboot after install. The keys aren't enabled until a box is checked in the luci interface.

Go forth and test, use, and feel free to ask questions or make suggestions.

Sound interesting!
I'm a bit confused though. How would this be of interest for a home-user, like I am?
Please advice.

Simplest example, you want to be able to ssh into your network when not at home, but you don't want to leave port 22 open. (Seriously, don't leave port 22 open. It's asking for trouble)

fwknopd can listen for a signed packet with no ports open. So if you want to ssh in, you run the fwknop client, and tell fwknopd to open port 22 for only the ip address you are using, and it only does so for a default of 120 seconds. Long enough to ssh in and establish the connection, but after that 120 seconds, the router goes back to blocking new incoming connections.

So, your router is invisible to a port scan, but you still have a secure way to log in remotely.

Oneru, thanks for the info!
I will start testing
BTW, found a page with recent windows clients: http://www.dstuart.org/fwknop/

I'm curious as to why? Isn't SSH supposed to be relatively secure?

It is secure, as far as we know. There are two reasons not to have port 22 open. The first is the danger of flaws that we don't know about. A zero day flaw could be disasterous, but even more likely is a flaw that is reported and fixed, but the fix never pushed to the device hosting ssh.

The more immediate reason is that an open port 22 is like hanging out a sign. I've watched server logs for ssh when 22 is open. The volume of attempts against root is staggering.

If you want an open ssh service, I'd encourage either using something like fwknopd, or at least moving to a nonstandard port above 1024.

hi, any known available fwknop clients for iphones? that is still the only reason why I'm not moving away from obsolete knockd.

thanks

Sturia, sorry, I didn't ever get the notification of your post. There is technically a working iphone client, but it needs a rewrite similar to what the android client just went through. As far as I know, the iphone client is not on the Apple store, so it would require a rooted phone, etc.

In other news, I have a writeup and demo video of the Openwrt luci app and the android app working together: http://incomsystems.biz/linux/fwknop2/

Hi,

I've just installed Chaos Calmer and found that knockd is not available any more.
What is the reason for this?
Why does Chaos Calmer forces me to change from knockd to fwknop?
There isn't any howto-page in wiki about how to use fwknop on OpenWrt

Thanks,
micsu

(Last edited by micsux on 20 Sep 2015, 12:37)

Chaos Calmer doesn't force you to do anything. Packages are community maintained, if knockd is not available it means no-one stepped up to maintain it.

Hello, Micsux
As Borromini said, the only reason that knockd isn't in Chaos Calmer is that there is no one that has taken over maintaining it.

You have a valid point about the missing fwknop wiki page. There is documentation in other places, but I'll try to pull a quick blurb together for the wiki. To get you started:

The easiest way to use fwknop on Openwrt is to use the Luci interface, luci-app-fwknopd. This installation will generate your keys and give you a sane config file. Once installed, just go to the luci page (Services -> Firewall Knock Daemon) and check the box labeled "Enable config overwrite" and then save and apply. 

From there you just need an fwknop client and you should be good to go. There is an Android client that is very easy to set up. It's in the play store and named fwknop2.  This client allows you to import the generated keys via qr codes. Another option is the new cross-platform desktop graphical client over at https://incomsystems.biz/fwknop-gui/

There is also the command line client. More information here: https://www.cipherdyne.org/fwknop/ This is the main fwknop site and has lots more documentation.

If you get too badly stuck, you can ask the fwknop community directly by using the mailing list at fwknop-discuss@lists.sourceforge.net

Hope you get it working. Fwknop really is a slick idea and much more secure than the old port-knocking idea.

--Jonathan Bennett

OK. I am stuck and need help from people much wiser than I am.

To my understanding, this should just work - install the plugin (so fwknopd also gets installed), reboot, check the box, et voila.

But for me, that does not work.
What I could see so far is that the daemon never gets launched (trying ps and pgrep), although the two config files in /etc/fwknop have the same information as I can see in the panel.

I'm not fluent enough in OpenWRT config to even know where to look for trouble - but I would appreciate tips and pointers on what to check.

In luci, under System->Startup, check if fwknopd is set to enabled. If it is disabled, hit the button to enable, and then the start button. 

If it is already enabled there, reboot, and go to status-> =system log and see if fwknop wrote anything to the log.

It was enabled, but indeed there are errors in the log.

Sat Oct  3 22:02:17 2015 daemon.err fwknopd[10117]: [*] Ignoring unknown access parameter: 'keytype' in /etc/fwknop/access.conf
Sat Oct  3 22:02:17 2015 daemon.err fwknopd[10117]: [*] Ignoring unknown access parameter: 'hkeytype' in /etc/fwknop/access.conf
Sat Oct  3 22:02:17 2015 daemon.info fwknopd[10117]: Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
Sat Oct  3 22:02:17 2015 daemon.err fwknopd[10117]: [*] Parse error on access port entry: 54321
Sat Oct  3 22:02:17 2015 daemon.err fwknopd[10117]: [*] Fatal invalid OPEN_PORTS in access stanza

What bugs me is that I didn't even try to edit the files manually - I only used cat on them.
I'll need to do another full reset of the system (CC release needs to be installed either way) and see if that helps.

The error that is causing problems is the parse error on access port entry.  I think it wants to see either a tcp/54321 or a udp/54321.  If you have ssh listening on 54321, then you would want tcp/54321.

So specifically, it looks like in the Luci interface, you set OPEN_PORTS: to 54321. You can leave that blank to allow the SPA packet to specify the port. If you want to specify the port to open here, you need to also specify the protocol. So, either blank the OPEN_PORTS field, or set it to something like tcp/54321

I definitely need to write a wiki page on this. Maybe I can start that tomorrow afternoon.
Edit: First draft finished: http://wiki.openwrt.org/doc/howto/fwknop

(Last edited by oneru on 4 Oct 2015, 00:39)

I recently stumbled across this but within the last day I've actually implemented this successfully.  A few comments first then some potential additions to the wiki are suggested.

Comments:

The luci interface along with the fwknop2 Android client are very well thought out.  Kudos.  The QR code snapshot to transfer keys is particularly nice.

This type of feature is what I was looking for to be comfortable opening up SSH access over WAN.  Port knocking is OK but I wanted something that was at least not repeatable if sniffed.  Unless I'm wrong, this is roughly equivalent to hiding OpenVPN using TLS over UDP with HMAC -- unless you initiate the handshake correctly the packets are just dropped and you can't tell there's a service listening on the port.

I agree this is a slick methodology and would like to see it gain some use (more code reviews, more bugs/vulnerabilities found/squashed, etc). 

Some implementation details, and wiki fodder (these weren't obvious to me, although there's nothing fancy here -- and note that I'm running CC, not trunk):

To listen on WAN, go to System-Administration and click Add under SSH Access.  Click WAN radio button, specify listening port.  Check options as you intend to use them.  No manual firewall steps are needed, fwknopd will take care of this.  Note that there are other methods to have a single instance of dropbear listen on multiple ports, this isn't the only method.

The following comments related to the luci interface for knopd are not complete, they are in addition to (or clarification of) existing setup notes in this thread.

Under Services-Firewall Knock Daemon, change OPEN_PORTS to "tcp/<ssh_listen_port_number>" -- obviously replacing <ssh...> with the port number from the previous step, and removing the quotes.

On that same page, under fwknopd.conf options click Add and enter option "PCAP_FILTER" without quotes.  This allows you to specify the port on which fwknopd is going to listen for the SPA packet.  Enter "udp port <spa_listen_port_number>" to change from the default which is something like 62201.  You can enter "udp dst portrange 10000-65535" if the client is going to use a random port.  I have tested both of these methods with this syntax.

Once you show you can knock and ssh in, it's probably a good idea to run a port probe (from something like GRC shields up) to verify that your ssh and spa ports are invisible even when you knock.  The temporary firewall rule that's added upon successful knock is IP-specific so these ports should never show open.

Hopefully these help.

Hey, glad you got it working.  Yes, there are similarities to OpenVPN's HMAC approach.  Fwknop also has an additional replay attack protection mechanism, we store the hashes of the last 1000 valid SPA packets, and when an otherwise valid packet matches a stored hash, it is considered a replay and dropped.

Code review and fixed problems are always welcome, of course.  The underlying code and libraries are still under active development.  The central code base is at https://github.com/mrash/fwknop

That wiki page probably needs more work.  I'll take your notes and try to refine it further, thanks!   

Just a thought on the listening ssh ports:  I believe that by default, dropbear listens on port 22 on all interfaces.  Switching the configuration around as you described is certainly a valid strategy, but not absolutely needed when starting from a default setup.  If a router has been configured not to listen on WAN, though, then it would be necessary to make further changes.

Thanks again
--Jonathan Bennett

Had some problems on 15.05 on a TP-Link 1750 (no idea if that is part of the cause but figured I should mention it) with the WAN interface restarting and fwknopd not handling it well, so I added an /etc/hotplug.d/iface/40-fwknopd file thus:

#!/bin/sh

[ "$ACTION" == "ifup" ] || exit 0

[ "$INTERFACE" = "wan" ] && {
        /etc/init.d/fwknopd restart
}

Although it doesn't prove anything, since adding this I've not experienced the issue of my fwknopd not responding to packets after interface reset.

Oh, another 'gotcha' that tripped me up a few times....

The startup script looks in /etc/fwknop/access.conf for the port to run on, but that port's configured in /etc/config/fwknopd out of the box. So by default it'll stomp on whatever you set in /etc/config/fwknopd (eg, pppoe-wan) with what it decides is the physical interface (eg eth0.2). This may not be ideal, leading one to wonder why any config changes don't seem to 'take'.

To work around,
#uci set fwknopd.@access[0].PCAP_INTF='<interface in /etc/config/fwknop>'
eg
#uci set fwknopd.@access[0].PCAP_INTF='pppoe-wan'

(Last edited by plaw on 25 Apr 2016, 04:53)

That hotplug script looks like a good idea, I might adapt and include that as official, if you don't mind.

Yeah, this one was certainly my fault.  It's already been fixed in trunk, but just hasn't been backported to a release yet.

Glad you got it working!

--Jonathan Bennett

I do not mind in the slightest. I adapted it from another script that no doubt got adapted...

Following the hints in this thread I also managed to make fwknopd work to open port 22 on my Chaos Calmer Openwrt. Works nice, thanks!

Next step will be to try to configure multiple open ports and to chain commands after the reception of a packet (e.g. do port forwarding as with knockd).

avio, glad it worked for you.  You should actually have port forwarding working out of the box.  Look into the Nat Access message type.  Let me know which client you are using, and I can give more specific info.

I'm running LEDE r1541, when I install it I see the following error in luci:

/usr/lib/lua/luci/dispatcher.lua:460: Failed to execute cbi dispatcher target for entry '/admin/services/fwknopd'.
The called action terminated with an exception:
/usr/lib/lua/luci/template.lua:97: Failed to execute template 'cbi/map'.
A runtime error occured: /usr/lib/lua/luci/template.lua:97: Failed to execute template 'cbi/tsection'.
A runtime error occured: /usr/lib/lua/luci/template.lua:97: Failed to execute template 'cbi/ucisection'.
A runtime error occured: [string "/usr/lib/lua/luci/view/cbi/ucisection.htm"]:15: attempt to call field 'json_encode' (a nil value)
stack traceback:
    [C]: in function 'assert'
    /usr/lib/lua/luci/dispatcher.lua:460: in function 'dispatch'
    /usr/lib/lua/luci/dispatcher.lua:141: in function 

Anyone know what might be wrong?

I haven't seen that error before, but I'll look into it as soon as I can.