[CentOS] Defending againts simultanious attacks - Port Knocking

Sun Feb 18 03:49:02 UTC 2007
MrKiwi <mrkiwi at gmail.com>

M. Fioretti wrote:
> On Sat, Feb 17, 2007 13:34:39 PM +1300, MrKiwi (mrkiwi at gmail.com)
> wrote:
> 
>> Beware of the thread ...
>>
>> http://slashdot.org/it/04/02/05/1834228.shtml?tid=126&tid=172
>>
>> on Slashdot regarding Port Knocking - there are some good points,
>> but loads and loads of misinformation and uninformed whining about
>> Port Knocking lowering your overall level of security.
> 
> May we ask you to sum up in a few lines both the good points and the
> misinformed/whining ones?
> 
> Thank you in advance,
> 
> 	Marco
> 
Sure;

Gems/Insightful comments.

"Thus, it is impossible to distinguish a totally silent box 
(listening on no ports, dropping all packets) that has 
implemented port knocking from a box that is merely totally 
silent."

"The idea has been around but this is the first real 
implementation I've heard of; would make port scanning 
completely useless. The problem is relying on additional 
client-side tools. I guess you could manually telnet to a 
series of ports quickly, then opening the ssh connection but 
the special packet idea wouldn't work unless you had proper 
tools on the client side."
[Note there are now many client side tools (nix/win/mac) 
which implement port knocking and/or SinglePacketAuthorization]

"The funny thing is, why open up ports in a general fashion? 
Why not just open up those ports to connections from the IP 
that knocked?"

Most good implementations do just this - you knock, the port 
knocking server opens the firewall for ONLY your ip to 
connect to ONLY one port. EvilHacker can still scan the 
server and find no open port.

"Don't rely on something remaining secret unless you're 
willing to protect it as a secret. This "knock to open" is 
just another hoop a cracker has to jump through on the way 
into your machine. It will stop the clueless ones cold until 
they read about how the observant ones got around it, then 
it won't stop anybody.
But it might also lull the owner of the box into a false 
sense of security, and to the extent it does, it's a bad idea."

The first part of this is true - but in the same way that 
"brute forcing an encrypted packet before its payload 
becomes of no value" is another hoop that thankfully few 
crackers have managed to jump through.
In my opinion, port scans which lead to login or cracking 
attempts will still make up the bulk of malicious traffic 
for a long time yet. Port knocking reduces your visibility.
The enemy already has infrared goggles, so why does the army 
still wear camo?
The second point is the most dangerous part of port knocking 
- a false sense of protection.



Whines/Missed the point/Plain wrong.

1. "This doesn't seem like much of an advantage over simply 
using different ports for services"

It has the advantage of being able to use standard OR 
non-standard ports, however only *your* clients can even see 
the open port to connect to.
An analogy would be; a lock-picker can easily pick your door 
lock. If he must know a special 'knock' pattern before he 
can even see/touch the lock, his lock picking skills become 
much less valuable.

2. "the whole thing seems kind of insecure to me without a 
method to dynamically change the knocking sequence"

No - All port knocking does is hide the open port from 
people who dont know the knock. (caveat below). This in no 
way introduces any kind of insecurity.
Caveat: port knocking can be implemented with crypto-style 
payloads to eliminate the risk of a replay attack, so even 
knowing the port knock sequence doesn't open the port if you 
don't have a way to generate the correct packet payloads.
I don't know much about this, however there is a more 
advanced version which builds on this (and other concepts 
too) - Single Packet Authorization. Google it.

3. "Something tells me I'm going to be seeing a lot bigger 
firewall logs in the future, as this catches on."

Nope - No more than the 000's of log entries you already get 
from port scans.

4. "Open a whole range of ports--say, a couple thousand. 
Then an attacker won't (easily) be able to try all the 
possible knock sequences."

This misses the point - you leave the ports closed. An 
attacker cannot (easily) tell the difference between a 
port-knocking protected ssh port, and a server which is not 
running ssh. In both cases, the ssh port is closed. In the 
first case, it only opens after you knock on a seq of 
*closed* ports. In the second case, no combination of 
knocking on ports will open the ssh port.

5. "Ports that are closed but part of the knocking scheme 
would return a connection refused, while all the other 
(filtered) ports would simply be dropped"

No - Your firewall will not REJECT the packets, it will DROP 
them, no differently to before port knocking.

6. "This isn't going to catch on. It's not more secure and 
it wastes more resources.
Why would this be any more secure than listening on a single 
port for the "unique knock sequence?" Any good admin knows 
the most secure system is one that is listening on as few 
ports as possible."

Missed the point completely. I will break it down;
a. "This isn't going to catch on". Thanks Nostradamus, but 
it already has.
b. "It's not more secure ..." Yes it is. Crudely, less open 
ports => more secure.
c. "and it wastes more resources." - No. A watched series of 
ports takes barely more resources than `tail 
firewall.log|portknockingserver`, and many times less than 
are used when an attacker connects to an open port.
d. "Why would this be any more secure than listening on a 
single port for the "unique knock sequence?" Because 
listening 'on a single port' would be either an open port, 
or opened by a port scan.
e. "Any good admin knows the most secure system is one that 
is listening on as few ports as possible." Yay! you got one 
right. The word 'listening' is an unfortunate term for what 
port knocking servers do. 'Watching' would be better. They 
dont open any of the watched ports.

7. "i submit it could actually be less secure...
    1. dos attacks!
    2. sniff the port knocks"

No - DOS requires that you (the attacker) consume resources 
on the target box to a point where services are denied to 
legit users. If a vicious level of port scans cannot DOS the 
firewall, then a well implemented port knocking server will 
not be easily tipped over by this.
It has been shown that even in the middle of a DOS attack, a 
port knocking implementation will still open the ports for 
legit users, however there is one situation where you can 
replay packets to prevent a valid user getting an open port. 
   SPA solves this issue.
Sniffing the port knocks only gets you an open port ... you 
still need all the skill/luck to break (say) ssh once you 
get an open port, so it is no less secure than a web facing 
ssh port. In fact some implementations close the port after 
x failed attempts, so basically you are wrong.

8. (in reply to the suggestion to use one-time port 
sequences) "If you're going to go so far as to require a 
one-use pad, then you can forget about the whole "port 
knocking" concept -- there's no stronger password than a 
1-use password."

Missed the point. Port knocking mitigates zero-day security 
issues, like ping-of-death etc. Even the most simple port 
knock seq will protect you from portscan->automated hacks.
No password - even shell=/dev/null - will protect you from 
that.
The point is that of your ports are open, your pants are down.


That pretty much wraps it up.

MrKiwi,