MacOS – How to Implement Port Knocking on macOS Sierra

macos

Does anyone know how to get Port Knocking work on macOS Sierra. I couldn't find any useful information after a search.

It works now, thanks for all the help. @klanomath @jksoegaard. Wish you all the best.

Here are the configurations:

Configuration: /usr/local/etc/ssh-access.txt is empty initially

Configuration: /etc/pf.conf

scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
table <ssh-access> persist file "/usr/local/etc/ssh-access.txt"
pass in quick proto tcp from <ssh-access> to port 22

Configuration: /usr/local/etc/knockd.conf

[options]
        logfile = /var/log/knockd.log
[openSSH]
        sequence    = 7000,8000,9000
        seq_timeout = 5
        command     = echo %IP% > /usr/local/etc/ssh-access.txt
        tcpflags    = syn
[commitFW]
        sequence    = 9000,8000,7000
        seq_timeout = 5
        command     = pfctl -t ssh-access -T replace -f /usr/local/etc/ssh-access.txt
        tcpflags    = syn
[closeSSH]
        sequence    = 5000,4000,6000
        seq_timeout = 5
        command     = echo '' > /usr/local/etc/ssh-access.txt
        tcpflags    = syn

Output when Launch knockd:

config: new section: 'options'
config: log file: /var/log/knockd.log
config: new section: 'openSSH'
config: openSSH: sequence: 7000:tcp,8000:tcp,9000:tcp
config: openSSH: seq_timeout: 5
config: openSSH: start_command: echo %IP% > /usr/local/etc/ssh-access.txt
config: tcp flag: SYN
config: new section: 'commitFW'
config: commitFW: sequence: 9000:tcp,8000:tcp,7000:tcp
config: commitFW: seq_timeout: 5
config: commitFW: start_command: pfctl -t ssh-access -T replace -f /usr/local/etc/ssh-access.txt
config: tcp flag: SYN
config: new section: 'closeSSH'
config: closeSSH: sequence: 5000:tcp,4000:tcp,6000:tcp
config: closeSSH: seq_timeout: 5
config: closeSSH: start_command: echo '' > /usr/local/etc/ssh-access.txt
config: tcp flag: SYN
ethernet interface detected
Local IP: 192.168.8.101
Adding pcap expression for door 'openSSH': (dst host 192.168.8.101 and (((tcp dst port 7000 or 8000 or 9000) and tcp[tcpflags] & tcp-syn != 0)))
Adding pcap expression for door 'commitFW': (dst host 192.168.8.101 and (((tcp dst port 9000 or 8000 or 7000) and tcp[tcpflags] & tcp-syn != 0)))
Adding pcap expression for door 'closeSSH': (dst host 192.168.8.101 and (((tcp dst port 5000 or 4000 or 6000) and tcp[tcpflags] & tcp-syn != 0)))

Knock from client Mac

192:~ vincent-st$ knock -v 192.168.8.101 7000,8000,9000
hitting tcp 192.168.8.101:7000
192:~ vincent-st$ knock -v 192.168.8.101 9000,8000,7000
hitting tcp 192.168.8.101:9000
192:~ vincent-st$ ssh vincent-st@192.168.8.101
ssh: connect to host  port 22: connection refused

After using the proper knock command ssh works:

Knock from client Mac

192:~ vincent-st$ knock -v 192.168.8.101 7000 8000 9000
hitting tcp 192.168.8.101:7000
hitting tcp 192.168.8.101:8000
hitting tcp 192.168.8.101:9000

192:~ vincent-st$ knock -v 192.168.8.101 9000 8000 7000
hitting tcp 192.168.8.101:9000
hitting tcp 192.168.8.101:8000
hitting tcp 192.168.8.101:7000

192:~ vincent-st$ ssh vincent-st@192.168.8.101
The authenticity of host '192.168.8.101 (192.168.8.101)' can't be established.

RSA key fingerprint is SHA256:6AlMpQmxODOueRS+faoODOueRS+ODOueRS+fa.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.8.101' (RSA) to the list of known hosts.

Password:

Last login: Tue Jul 11 01:14:56 2017 `

Best Answer

If you need to get port knocking working as a client (i.e. you want to access a remote service that is protected by port knocking) - then install the knock program from Homebrew like this:

brew install knock

You'll need to have Homebrew installed in advance.

Then you can use the program from Terminal.app like this:

knock myserver 1234 5678 9012

where the numbers are the ports to knock.

If you need to get port knocking working as a server (i.e. you want to protect a local resource so that remote access is limited to those in-the-know by port knocking) - then similarly install knock from Homebrew.

After installation you'll need to create a knockd.conf configuration customized to your requirements (i.e. which type of service you want to protect, the ports to use, etc.) - and finally start knockd using launchd.

You can find an example of how to do this here:

Example knockd setup

Related Solutions

macOS Sierra – Guide to Port Forwarding

My answer to the question: What is the modern way to do port-forwarding on El Capitan? (forward port 80 to 8080) is still valid.

You have several frictions/misconfigurations in your setup though:

There is no need to establish an additional network address (i.e. 10.0.0.1) for lo0 if you don't have a second http/https host.
A redirection:
```
rdr pass on lo0 inet proto tcp from any to 10.0.0.1 port = 80 -> 127.0.0.1 port 3000
```
will only redirect a request for 10.0.0.1:80 to 127.0.0.1:3000.

A request for localhost:80 (which translates to 127.0.0.1:80 and not to 10.0.0.1:80) won't be redirected because there is no appropriate rdr ... line and you will get a connection error.
Even adding the line 10.0.0.1 localhost to /etc/hosts will not salvage your problem because localhost seems to be hard coded to 127.0.0.1.

To get your redirection working unload pf.conf with sudo pfctl -d. Then check your anchor and pf.conf:

rdr pass log (all) on lo0 inet proto tcp from any to any port 80 -> 127.0.0.1 port 3000
rdr pass log (all) on lo0 inet proto tcp from any to any port 443 -> 127.0.0.1 port 7000

and

...
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
rdr-anchor "myorganization"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
load anchor "myorganization" from "/etc/pf.anchors/myorganization"

Then parse/check myorganization with sudo pfctl -vnf /etc/pf.anchors/myorganization and load pf.conf with sudo pfctl -evf /etc/pf.conf.

In some rare cases you may have to add an additional line:

::1     127.0.0.1

to your /etc/hosts file. This doesn't seem logical though and may apply to older Sierra versions only. I haven't been able to confirm this.

MacOS Sierra 10.12: Configure firewall for a single port (3690)

If you are using Sierra's Application Firewall you can't restrict it to a single port.

To allow incoming traffic for a specific binary, open System Preferences > Security & Privacy > Firewall > Firewall Options and either hit the plus button and choose the binary or drop the binary from a Finder window.

In my example below I have chosen the X11 binary in /Applications/Utilities/XQuartz.app/Contents/MacOS/

You can the check additional apps added by executing:

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --listapps

After adding Xcode, anything starting with svn in /usr/bin/ and /Applications/Xcode.app/Contents/Developer/usr/bin/ and starting /usr/bin/svnserve I was asked once to allow incoming traffic for svnserve (I don't know which of both svnserve executables) and it worked from remote. After removing everything and repeating the same steps it failed again.

The log file at /var/log stays empty and the other logs don't reveal anything related to blocked incoming connections.

I recommend to enable ssh and create a ssh:svn-tunnel. Link: Subversion through a tunnel

As an alternative install Murus - a GUI for pf. If you don't activate it with an email and a serial number it will run as the free Murus Lite.

Open the app and choose a strategy. E.g. Novice > Predefined Firewall Configuration Presets > Almost all services blocked. Then activate the selected Murus preset and start pf.

Hit the library button. In the services library panel hit the gear

and add a new custom service SVN:

In the groups library hit the gear and add new custom group

Hit the loupe, enter a group name, add an appropriate interface, hit the plus button and add an IP or network.

Drag the SVN service to the main windows (Managed inbound services) and configure it:

If you have additional services like SSH running, add them also. Start or restart pf if necessary. Now - protected by pf - you may dissable the application firewall.

Best Answer

Related Solutions

macOS Sierra – Guide to Port Forwarding

MacOS Sierra 10.12: Configure firewall for a single port (3690)

Related Question