tumbler

It differs from port knocking in the following ways:

1. Uses a single port: the tumblerd listens on a single UDP port for a single UDP datagram containing the 'knock' on the door.
2. Secure: the 'knock' is an SHA-256 hash the includes a shared secret (similar to a password) and other information to prevent spoofing and replay attacks.
3. Generic: the 'knock' can cause any command to be executed and is not limited to firewall reconfiguration.

[Project Page] [Download] [JavaDoc of TumblerKnock]

The Perl implementation is discussed below.

Example

First set up the appropriate tumbler.conf (by default /etc/tumblerd.conf):

# Comments start with #
#
# The common section contains configuration options
# for the tumblerd daemon, here we set the UDP
# port to listen on to 8675 and a log file

[common]
    port = 8675
    log  = /var/log/tumblerd.log

# Each door that a user can knock on is defined by
# a unique [door-X] section, the first section is
# for opening the SSH port, and second for closing
#
# Each door has a secret (i.e. the password for this
# door that is part of the knock) and a command to
# execute.
#
# In the command it's possible to use the macros
# %IP% for the IP address of the person who knocked and
# %NAME% for the name of the door (in the first door
# here the name is open-ssh)
# %USER% for the user name of the user opening the door
# if present

[door-open-ssh]
    secret  = open-pAsSwOrD
    jgc.secret = password
    command = /usr/sbin/iptables -A INPUT -p tcp -s %IP% --dport 22 -j ACCEPT
 
[door-close-ssh]
    secret  = close-pAsSwOrD
    command = /usr/sbin/iptables -D INPUT -p tcp -s %IP% --dport 22 -j ACCEPT

Then run tumblerd (or tumblerd --config /path/to/file if the config file isn't in the standard place).

To knock on the open door the remote user does the following:

tumbler --open tumbler://host:8675/

where host is the host on which tumblerd is running. The user will be prompted for the secret (in this case open-pAsSwOrD). Alternatively it's possible to specify the secret on the command line as follows:

tumbler --open tumbler://open-pAsSwOrD@host:8675/

That's it.

To close the port again the user would use the close-ssh door's secret.

TUMBLER protocol

The tumbler protocol consists of a single message sent as a UDP datagram that contains a string identifying the tumbler protocol version (currently 2) and a hash value. For example,

TUMBLER2: 844c17eee03d848cc0a60e90f608d5ea11f417d9bf0d2c1af2b52c665245bf22

The hash is a SHA 256 secure hash of the following three items:

1. The current zulu date/time in minutes
2. The IP address of the sender of the message
3. The secret
4. An optional (added in v2) user name

The inclusion of the IP address of the sender means that a sniffed message cannot be reused from a different IP address, the inclusion of the time means that messages automatically expire and the inclusion of the secret means that an attacker needs to obtain the password.

Hence the security of tumbler is the same as password security: choose a good secret for each door and change it often! The tumblerd implementation prevents the reuse of a hash within the same minute so that each command is only executed once.

If tumblerd determines that the hash is valid it executes the associated command. There is no response positive or negative to the sending of a message.

tumblerd documentation

tumblerd

• --port specifies the UDP port to listen on (this can also be specified in the configuration file, see below).
• --config specifies the name of the configuration to read instead of /etc/tumblerd.conf.

tumblerd.conf

Blank lines and anything after a # are ignored in the configuration file.

Within each section configuration parameters in the form param = val are accepted. Whitespace is stripped before and after the parameter name and value.

Each section has certain permitted parameters:

• [common] section has:
  • port Specifies the UDP port on which tumblerd should listen for knocks.
  • log Specifies the name of a log file that tumblerd should write to
• [door-X] section has:
  • secret This is the secret that is used to unlock the door. Treat it like a password. If more than one door has the same secret then a single knock will open multiple doors. You can have multiple secrets per door.
  • user.secret This is a secret for a specific user (for example you can have the entry jgc.secret = password which would indicate that jgc can open this door with the secret password. You can have as many users and secrets per user as desired.
  • command The command to execute when the knock on this door is successful. It may contain the macros %IP% (the IP address of the knocking machine) and %NAME% (the name of this door (e.g. if this section is [door-foo] then the %NAME% is foo).

See the example above for a complete configuration file.

tumbler client documentation

• --open This is followed by a tumbler URL in the form tumbler://user:secret@host:port/ and cause a knock on the host on the port using the secret for optional user user. If the secret is omitted then the tumbler client will prompt for it. You can specify as many --open options as you wish.
• --from This sets the from IP address used inside the hash being passed. This is only necessary if the machine you are running on is behind a NAT device which will change the UDP packet's source IP address. In that case --from can be specified with the external IP address on the NAT device.