ipt_pkd is a free command-line software that provides an open-source iptables extension that has been designed from the ground up to implement a port knock detection system with SPA (Single Packet Authorization) functionality.
Divided in three important parts
The project is divided in three important parts, the kernel module, a user space client knock program, and the iptables user space module, called libipt_pkd.so. ipt_pkd is capable of verifying a packet with SHA256, as well as to check the time window of a packet. However, it does not sends the shared key and has limited proc support.
How does it work?
ipt_pkd’s knock packet can be described as a SHA256 has of a small header, a timestamp, a shared key and some random bytes sent via the UDP (User Datagram Protocol) protocol. Both the random bytes and the timestamp are passed in the packet, in order for the server to create the SHA256 hash and do a results comparison. If they match, the pkd module will return true. If not, it will return false.
I want to see some examples!
A simple example of using the ipt_pkd package is for protecting a SSH (Secure Shell) connection on port 22. Using the iptables rules displayed below, any new SSH connection attempt will be dropped, unless a valid knock packet is provided:
iptables -A INPUT -p udp -m pkd --key test --tag SSHK -m recent --set --name PKD
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --rcheck --name PKD --seconds 60 --hitcount 1 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j REJECT --reject-with tcp-reset
It has only three options
As mentioned, ipt_pkd is a command-line applications that runs on a console environment, using an X11 terminal emulator or directly from a text-mode session. It has only three options, one that sets a shared key, one that sets the time in seconds, and another one that sets the tag for the knock key.