Knock
Knock which is referred to as TCP Stealth is a proposed modification of the Transmission Control Protocol (TCP) to hide open ports of some TCP services from the public, in order to impede port scans. It is somewhat similar to the port knocking technique.[1] [2]
It modifies the TCP three-way handshake by only accepting connections from clients that transmit a proof of knowledge of a shared secret. If the connection attempt does not use TCP Stealth, or if authentication fails, the server acts as if no service was listening on the port number. [3]
Contents
Kernels with Knock support
Parabola contains a lot of kernels with Knock support:
- linux-libre-knock: package based on linux-libre but with the difference that it provides support for stealth TCP sockets.
- linux-libre-lts-knock: similar than linux-libre-knock but based on the stable longtime supported kernel versions.
- linux-libre-grsec-knock: similar than linux-libre-knock but combined with Grsecurity support, see Grsecurity+Knock for more details.
- linux-libre-pck: package based on linux-libre but with multiple patches based on pf-kernel and zen-kernel for Linux-libre kernel which provides you with a handful of awesome features not merged into mainline. For more info see our article.
Activation of kernels repo
You can add the following lines to your /etc/pacman.conf:
/etc/pacman.conf
[kernels] SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist
Applications with Knock support
OpenSSH-Knock
The patch introduced on openssh-knock enables OpenSSH to use the authentication mechanism of Knock. To specify a secret on both sides use the newly introduced SSH configuration option called TCPStealthSecret or (not recommended) the -z command line argument. It also extends the man pages of ssh, ssh_config, sshd and sshd_config which give more information.
Systemd-Knock
systemd-knock enables Knock's authentication and integrity protection for applications using systemd for their socket I/O. Several steps need to be taken to customize systemd (assuming the running kernel already was patched with the Knock patches).
In order to enable the functionality at runtime, the new configuration options TCPStealthSecret and TCPStealthIntegrityLen are available for use in .socket unit files. TCPStealthSecret specifies the TCP Stealth secret whereas TCPStealthIntegrityLen is an unsigned integer indicating the number of bytes that should be integrity protected (0 means disabled).
External links
- Knock - initial implementations for Linux kernel and legacy applications
- Master's thesis about TCP Stealth
- TCP Stealth - draft-kirsch-ietf-tcp-stealth-00