How to use port knocking on Windows there are two software what comes into my mind with easy to use interface, Windows Port Knocking (http://gregsowell.com/?p=2020) and KnockKnock (https://sourceforge.net/projects/knockknock/), but there are more. Once the right sequence is applied you can use other software like Putty or WinSCP. Probably there is a way to use batch script to automate everything but i never bother with this detail.
Port knocking should work regardless what you have installed and if i’m not mistaken CSF have an integration for port knocking, still i think you must install separately. I’m more for Fail2Ban so i never used CSF and dont know much about this software, so best would be to ask CSF or Google for an answer.
Edit: Forgot to mention, port knocking works directly with iptables so if this is ok for CSF it should work without any problem.
CSF implemented Port Knocking around 2010. I assumed I could use it (as I already have CSF installed) but what do I have to do at my login? I have not instituted it as I was unfamiliar with its use. It would be nice if the Webmin login would allow me to enter my port list and for it to use these to perform the port knocking or does that pose a security risk?
Port knocking doesnt work in this way. The point of port knocking is to setup some ports what must be triggered before you can access your desired port. To put it simple, lets say you want to access SSH, that would be by default port 22. To open that post lets say you setup the next trigger - ports 15001, 15002 and 15003 and to close 15003, 15002, 15001. So now before you access your SSH port 22 you must open it, e.g. make it accessible. To do that you must use telnet or some other software (better to automate everything). Triggering the right ports and their order you will open port 22 until you dont need it anymore and at that point you would execute the second sequence and close it.
That means before you hit the Webmin port (default 10000) you need to execute the right sequence or it will stay closed. In other words you cant set anything with Webmin because you will not be able to even see the login screen in case you used port knocking to block Webmin port (default or custom, doesnt matter).
I set it up on my account and it appears to be working. I use a different port for Webmin that is closed. I have to use a different app to do the knocking but it appears to work fine.
Edit:
I am using GregSowell.com Port Knocker (as you suggested) and if I try and access the site nothing happens in the browser although it looks like it is trying to connect. When I run the port Knocker with my preset ports it opens my Webmin port and I am able to log in and gain access to the webmin services. However, CSF has a timeout that you configure that is supposed to be the time you have to knock the ports within and hold the new port open.
Here is the CSF info
Syntax for the PORTKNOCKING setting:
PORTKNOCKING is a comma separated list of:
openport;protocol;timeout;kport1;kport2;kport3[…;kportN]
So, a setting of PORTKNOCKING = “22;TCP;20;100;200;300;400” means:
Open Port 22 TCP for 20 seconds to the connecting IP address to new connections
once ports 100, 200, 300 and 400 have been accessed (i.e. knocked with a SYN
packet) each knock being less than 20 seconds apart.
Access to port 22 remains active after 20 seconds until the connection is
dropped, however new connections will not be allowed.
What I am noticing however is that I am blocked after the timeout period (or something close to it.) I assume that I must be making a new connection at some time during the Webmin session so in order to continue I have to re-run the port knock access or I have to set the timeout to be the period of time I expect to actually be using Webmin.
Couldn’t a Port Knocking login screen be delivered via port 80 and after the Port Knocking was completed you could redirect to the opened port or something along those lines? Using the additional app is not a big problem but it is inconvienient.
There isnt port knocking login screen as the request must come from your IP plus i cant imagine how this should work. Either way this is out of the scope of *Min products and even port knocking, and best would be to find some geek guru coder to ask if he could make such software. Then again, you could just code a security software what would require some “codes” to open desired ports what doesnt have anything to do with port knocking and how it works.
Okay, you piqued my interest. I really don’t know what the security implications of this would be. I’ll leave that to you guys who actually know what you are doing. I was just curious as to what I could do with the whole port knocking concept. I blame you Diabolico because you were the one who introduced me to the concept of Port Knocking. Anyways, this is what I did:
Include a line for each port used to unlock the main port:
I assume I can use this file to create a port knocking login page that would allow me to enter the ports rather than having them hard coded.
Add an **A Record** to my DNS records
webmin.domain.com
Create the Server Alias **webmin.domain.com** in httpd.conf
Create redirect in httpd.conf:
RewriteCond %{HTTP_HOST} =webmin.domain.com
RewriteRule ^(.*) http://domain.com/login.php [R]
Webmin login screen appears and I am able to log in.
My understanding of what is happening:
I have blocked the port that webmin uses through CSF
I have set up the port knocking protocol in CSF
I have created a login file that attempts to access each of my key ports in the proper sequence and ends by accessing the actual Webmin address.
Access to Webmin using the normal admin.domain.com does not work because the port is closed.
Run webmin.domain.com
This runs the login.php file where the knock ports are supplied.
Since the ports are knocked in the proper order the Webmin port is opened and the Webmin login is presented allowing the user to access the site.
The Webmin port closes after the CSF timeout is reached.
Note: If the timeout is reached but the user has not logged out of Webmin, simply re-knocking the ports will reopen the Webmin port and the user will be able to continue with their Webmin session without logging in again.
Ie. re-run **webmin.domain.com**
I can now access Webmin using port knocking directly through the browser and do not need to use a separate port knocking application.
This isnt secure at all if you have all your ports listed in something.php plus DNS records arent secret so anyone can scrap them. This is the main reason why you must re-generate the signatures every few days (up to max 30 days) while using DNSSEC, so you can prevent rainbow attacks.
So by sending the port numbers using a php script (but not hard coded - ie. entered manually on a browser form) it is just as insecure as hard coding them into the script?
Wouldn’t this be just as secure as the standard login (since it still requires the standard webmin login) but at the same time it keeps the webmin ports closed unless you specifically request the port to open?
I’ll have to look at DNSSEC when I get some time. Would using ip address instead of domain names make any difference?
Sorry for all the questions but I learn from doing so this is very helpful.
Hardcoded ports would be useless, maybe manually insert the ports - like login with captcha would be better solution. Still its php file what means it will make a hit on Apache and server resources every time when a bot tries to do anything and this isnt good. Its much better if you shift your protection as much as you can on kernel level (e.g. iptables) and avoid Apache, MySQL… and so on. Thats why any CMS (WP, Joomla…) security plugin is really bad solution as all of them rely on Apache and MySQL to block someone or prevent something. When you get hundreds (or even thousands) of bots hitting your website on hourly basis the server will collapse while iptables could much easier handle such hit. Of course i’m not speaking of real DDoS because for that you must have appropriate defense, but to let all that bots free pass to your Apache or MySQL you will actually help them to accomplish some sort of DDoS even if that was not their primary job/intention.
Thanks for the info Diabolico. I’m not sure how you can present a browser login screen without the problems you point out. I will do a bunch more reading on the issues you point out and see what options there are.
Just so I’m clear on this:
Does providing a browser login screen, using user entered port fields (for the Port knocking that opens the Webmin port and redirects to it), increase the security risk to my server over just using a standard open webmin port with the standard webmin login?
I have an HTML form where I enter the data and then use this function to make the connection to the webmin login
function port_knock(){
var server = document.getElementById(“server”).value;
var port1 = document.getElementById(“port1”).value;
var port2 = document.getElementById(“port2”).value;
var port3 = document.getElementById(“port3”).value;
if (validation()) // checks that all fields are filled
{
window.location = “http://”+server+":"+port1;
window.location = “http://”+server+":"+port2;
window.location = “http://”+server+":"+port3;
window.location = “https://admin.”+server;
}
}
I could use the ip address instead of the server domain if it makes any difference
I'm not sure how you can present a browser login screen without the problems you point out.
For quite some time only CMS i consider to use for my clients its Wordpress (with or without Woocommerce) and Magento, and for that one i have some custom htaccess rules and fail2ban to prevent bots and bruteforce attacks. Fail2ban its quite nice software if you need to keep an eye on your logs and eventually block someone. The rest its just to find the edge when f2b will trigger the response, e.g. if the client is the only one to log then the rules can be set much harder while for e-commerce where a lot of people is using the login page the rules are more lenient (but not too much).
For the rest it would be better to start your own topic and maybe more people will join with suggestions. We already derailed this topic too much.
I have used f2b for years but obviously server keys and even very good passwds do away with the need of software like that.
Virtual Framed Theme though should be around as a fall back. VM team would be daft not to keep it up to date.
Software like Fail2Ban and CSF is always needed and saying otherwise could be even dangerous. I dont want to go into why because every smart person managing the server should already know this facts. Still i agree that using keys instead of passwords and/or strong passwords will add to the overall security of your server, but isnt enough and you should always look at the whole picture instead of focusing on some parts.
With all this talk of security, I want to point out that the new Virtualmin 6 installer sets up a firewalld firewall (on systems that support firewalld…so any new system with systemd, it’ll fallback to an iptables firewall on systems that can’t have firewalld), and fail2ban. The failb2ban configuration includes webmin-auth, sshd, and several mai-released ports, plus a few other things.
The beta installer for VM6 now includes those features. I just finished them last night, and rolled the new packages immediately after, so they’ve had minimal testing, but I think they work on the new distros.
There’s also good Webmin support for firewalld (several improvements are going into the next Webmin release) and Fail2ban (a couple of bugs with default options and jail.d*.conf files are still outstanding, but should be in place soon).
And, of course, Webmin already has brute force protection, 2FA, certificate-based login options, and more. There’s a ton of security features already built into Webmin aside from all these external security tools.
hi, can you be more specific on this? the original theme security issue… I never seen any logs or anything to prove that there is the original theme security issue…nor on github…
Yeah, I think there’s a bit of a disconnect in the conversation about the security issues that Authentic had (and were fixed a few months ago). Any theme could have the same kinds of security issues. There’s not really anything we can do, at this stage, to prevent a theme from causing security issues, if security mistakes are made in the theme…unless we removed significant theming abilities (no custom login page, no custom theme on any unauthenticated pages, etc.).
So…the security issues in Authentic were serious, but once fixed, there’s nothing that makes the Virtualmin Framed Theme safer than Authentic, except being a lot older and having had a lot more vetting and been in the wild longer; which, I guess also has some security value. I guess it’s also true that Framed Theme is no longer being developed actively (it is maintenance only at this point), so unless bugs already exist there won’t be any new ones. So…there’s also that.
But, let’s be clear: Authentic is not a unique security conversation; all themes in Webmin/Virtualmin could be a vector of attack if there are mistakes in handling user data. That’s true of most theme-able web applications, because the theme has to interact with every page, including things outside the control of ACLs and the like.
There are things we can do to isolate themes more completely, but it’s a much bigger project, and one we’ll have to tackle in Webmin 2.0; we have to break backward compatibility in major ways in order to change theming significantly. Total privilege separation (which nobody in this space currently does, as far as I know) would be the ideal, but it’s effectively a from-the-ground-up re-design.