Misses some of the value of port-knocking
|
| Author | Content |
|---|---|
| chris Aug 10, 2004 9:34 AM EDT |
I'm not sure I agree with the conclusion. There can be a lot of value to port knocking. Things not covered in the article: * it's not always about security, but simply hiding the fact you're running a particular service. An ISP, for example, might not like you running a web server, and it can be cloaked behind the port-knock. * It's most effective with custom knock-sequences protecting servers that don't have well-known addresses. Everyone knows (or should know!) that http listens on port 80, so port knocking could use a brute-force technique to expose the httpd server. However, if you don't know what port my httpd server is listening on, it only becomes visible when you knock correctly, and vanishes immediately after the next connection attempt from the remote IP address, then they suddenly have a much bigger search space. For unknown or custom server types, it's literally searching for something you don't know is there and don't know what you've found even if you stumble across something. * Further, the article doesn't account for the fact that it's easy to count the number of invalid connection requests and simply disable or delay the server from being visible to bad clients. Or, it could get slower like login prompts do. Further, there's another element that can stiffle a brute-force attack: after the correct knocking sequence occurs, the listen socket for the guarded server doesn't become available for a specified number of seconds later. Try to connect too soon and it undoes the knock sequence. Thus, if it waits 3 or 5 seconds, it's slow but reasonable for humans who know the code, but for a brute force scan, it is very burdonsome. * It's NOT the same thing as just sending a password using an alternate representation. There is a difference between knowing a server is running (but not knowing how to get in) and not knowing it's running in the first place. I agree with some of the criticisms, though. It's just not such an open-and-shut case. |
| Void_Main Aug 10, 2004 10:00 AM EDT |
I didn't really understand the point of the article. They made it sound like if you defeat the port knocking sequence then you were just granted access into the system. If you were using a port knocking scheme to allow SSH for instance and you defeat the port knocking sequence you still can't get into the system without either knowing a username/password or by exploiting a hole in SSH. I think having SSH behind a port knock scheme is far better than leaving it open for anyone to see just in case a new exploit IS discovered in SSH that can be exploited before being patched. I do allow restricted SSH, only from specific addresses, and only to specific things, which is probably a little better than putting it behind a port knocking scheme, but it is rather inconvenient to get to if you aren't at one of the IP addresses that have access (security, just as I intended). I see port knocking as nothing more than another level of security, not to replace any other existing level of security. You still want to keep your system updated with all the latest patches (apt-get update;apt-get dist-upgrade) and you still want to employ good passwords, use encryption, etc, etc. Adding obscurity is not a bad thing but it certainly should replace existing good security practices. Just my 2 cents. Having said that, I have read about port knocking in the past but have never tried it. It has intrigued me though, and if I have some time before this gets pushed out of my brain by something else I would like to experiment with it. |
| chris Aug 10, 2004 12:10 PM EDT |
There could be problems of perceived improved security which is contrary to your goals. (Thinking you're secure when you're not is worse than feeling vulnerable, IMHO, because people tend to get careless.) Since port-knocks is just a way to deliver information to the computer, and the infomation is "secret" they claim that it's just an inefficient and elaborate way to enter the equivalent of a password. There are some drawbacks, especially if you're going to knock on a machine you don't know. You have to have a well-known knock sequence or else their machine isn't reachable. So if that situation occurs, then knocking is just a nuissence. The knocks can be observed by a malicious 3rd party, and can thus be repeated by them as well. A changing sequence known between two parties, however, can be very effective. Further, a difference between a password and a port-knock is that knocking actually affects the behavior of the system, while entering a password either allows you through or not without side effects. |
| Void_Main Aug 10, 2004 12:47 PM EDT |
There could be problems of perceived improved security which is contrary to your goals. (Thinking you're secure when you're not is worse than feeling vulnerable, IMHO, because people tend to get careless.) But this is true for most anything. Running antivirus software on a Windows machine for instance gives many Windows users a false sense of security that they can not get a virus. Virus protection is only as good as the last signature file and viruses have been way ahead of signature files for quite some time now. Since port-knocks is just a way to deliver information to the computer, and the infomation is "secret" they claim that it's just an inefficient and elaborate way to enter the equivalent of a password. I don't agree with this. The port knock setup prevents the script kiddie from knowing that I have ssh available. If there is a new exploit in SSH discovered then people who use a port knocking setup to gain access to that ssh daemon are going to have a better chance of not being exploited in the amount of time it takes to patch their system. If they are going to run ssh and allow access connections from anywhere in the absence of port knocking then I say they are a little better off if they at least move ssh behind a port knocking scheme. There are some drawbacks, especially if you're going to knock on a machine you don't know. You have to have a well-known knock sequence or else their machine isn't reachable. So if that situation occurs, then knocking is just a nuissence. The knocks can be observed by a malicious 3rd party, and can thus be repeated by them as well. I'm not sure I follow you here. What do you mean by "if you're going to knock on a machine you don't know"? Sounds like you are talking about a script kiddie or a cracker. If you don't know my machine you better not come a knocking because I'll be watching for you to make a mistake, just like I watch for people doing port scans on my systems. You guess wrong too many times I automatically block your IP just like if you enter a wrong password too many times I disable your account. But I think I misunderstand the point you are trying to make. A changing sequence known between two parties, however, can be very effective. Further, a difference between a password and a port-knock is that knocking actually affects the behavior of the system, while entering a password either allows you through or not without side effects. I would agree fully with this statement. I would not use port knocking as a "replacement" for a password scheme but I would use it "in addition to" a password scheme. |
| Void_Main Aug 10, 2004 3:48 PM EDT |
On a side note, I have done something similar to a port knock to automatically change firewall rules to allow incoming ssh connections from a specific address. For instance, I was going to be away for a while and I was going to have Internet access but I had no idea what the IP range was going to be where I was going. I needed to come up with something quick so I could access my home network from there but I didn't want to expose ssh to just anywhere. I run a web server in a DMZ and I figured all I had to do was watch the web server log for a specific string in a URL and when it was seen I came up with a way to let the firewall know of the address I wanted to grant access to. The URL might have been something like this: http://voidmain.is-a-geek.net/?IamYourMaster_GiveMeSomeLovin If I saw that string in my log I would allow ssh on a non-standard port to that address (still had to have a login ID/password and connect on a non-standard port). It's pretty much the same principle. |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!