After experimenting with Shodan I was well aware of the dangers of putting a service directly on the internet. Even if you protect
the service with good controls such as authentication there is still a risk that the service could be exploited by a zero-day vulnerability or simply get DDoS’ed. Not to mention the fact that if Shodan finds an open port it’ll probe it and log it for the whole world to find.
So when the need arrived to expose a service on my home network I began to look at what other security controls I could add on top of the existing security of the service. This led me into the world of port knocking.
I found the concept of port knocking (sending a sequence of packets to different closed ports to trigger the firewall to open a port) quite interesting as it would certainly stop services like Shodan finding the service but it does cross more into security through obscurity than a security control. This is particularly the case as anyone monitoring the network between you and the service would easily be able to see that the port is open. This is because they will be able to see traffic going to the closed port. They would also be able to do a replay attack if they captured the port knock too, allowing them to open the port for their IP. It was fairly easy to implement on my MikroTik router but with the previously mentioned limitations, I knew I needed something better.
This is what led me to the more advanced form of port knocking called single packet authorization (SPA) and the software called Fwknop. Using a single packet that is encrypted, non-replayable, and authenticated, Fwknop can securely open a hole in your firewall without the many negatives detailed above with traditional port knocking.
So I began implementing it on my network. Supporting it directly on MikroTik’s RouterOS seemed unlikely to be possible so instead I setup the router to forward the Fwknop packets to my Raspberry Pi. Then on the Pi, I setup the Fwknop software to listen on that port. With some minor changes to the configuration file, I could trigger it to run some Python code which in turn could connect to the router to open the port requested by the Fwknop packet. After a few revisions, it all worked like a dream and I released the code onto GitHub – https://github.com/thomaspreece/mikrotik-fwknop-pi just in case anyone else would find it useful.
And that is that, I can now punch a hole in my home network firewall whenever I need it using just my Android phone, a Fwknop client and the Fwknop key. The services behind the firewall still require authentication and are patched so should be secure enough but nothing like a little defence in depth when it comes to security.