M. Fioretti wrote: > On Sat, Feb 17, 2007 13:34:39 PM +1300, MrKiwi (mrkiwi at gmail.com) > wrote: > >> Beware of the thread ... >> >> http://slashdot.org/it/04/02/05/1834228.shtml?tid=126&tid=172 >> >> on Slashdot regarding Port Knocking - there are some good points, >> but loads and loads of misinformation and uninformed whining about >> Port Knocking lowering your overall level of security. > > May we ask you to sum up in a few lines both the good points and the > misinformed/whining ones? > > Thank you in advance, > > Marco > Sure; Gems/Insightful comments. "Thus, it is impossible to distinguish a totally silent box (listening on no ports, dropping all packets) that has implemented port knocking from a box that is merely totally silent." "The idea has been around but this is the first real implementation I've heard of; would make port scanning completely useless. The problem is relying on additional client-side tools. I guess you could manually telnet to a series of ports quickly, then opening the ssh connection but the special packet idea wouldn't work unless you had proper tools on the client side." [Note there are now many client side tools (nix/win/mac) which implement port knocking and/or SinglePacketAuthorization] "The funny thing is, why open up ports in a general fashion? Why not just open up those ports to connections from the IP that knocked?" Most good implementations do just this - you knock, the port knocking server opens the firewall for ONLY your ip to connect to ONLY one port. EvilHacker can still scan the server and find no open port. "Don't rely on something remaining secret unless you're willing to protect it as a secret. This "knock to open" is just another hoop a cracker has to jump through on the way into your machine. It will stop the clueless ones cold until they read about how the observant ones got around it, then it won't stop anybody. But it might also lull the owner of the box into a false sense of security, and to the extent it does, it's a bad idea." The first part of this is true - but in the same way that "brute forcing an encrypted packet before its payload becomes of no value" is another hoop that thankfully few crackers have managed to jump through. In my opinion, port scans which lead to login or cracking attempts will still make up the bulk of malicious traffic for a long time yet. Port knocking reduces your visibility. The enemy already has infrared goggles, so why does the army still wear camo? The second point is the most dangerous part of port knocking - a false sense of protection. Whines/Missed the point/Plain wrong. 1. "This doesn't seem like much of an advantage over simply using different ports for services" It has the advantage of being able to use standard OR non-standard ports, however only *your* clients can even see the open port to connect to. An analogy would be; a lock-picker can easily pick your door lock. If he must know a special 'knock' pattern before he can even see/touch the lock, his lock picking skills become much less valuable. 2. "the whole thing seems kind of insecure to me without a method to dynamically change the knocking sequence" No - All port knocking does is hide the open port from people who dont know the knock. (caveat below). This in no way introduces any kind of insecurity. Caveat: port knocking can be implemented with crypto-style payloads to eliminate the risk of a replay attack, so even knowing the port knock sequence doesn't open the port if you don't have a way to generate the correct packet payloads. I don't know much about this, however there is a more advanced version which builds on this (and other concepts too) - Single Packet Authorization. Google it. 3. "Something tells me I'm going to be seeing a lot bigger firewall logs in the future, as this catches on." Nope - No more than the 000's of log entries you already get from port scans. 4. "Open a whole range of ports--say, a couple thousand. Then an attacker won't (easily) be able to try all the possible knock sequences." This misses the point - you leave the ports closed. An attacker cannot (easily) tell the difference between a port-knocking protected ssh port, and a server which is not running ssh. In both cases, the ssh port is closed. In the first case, it only opens after you knock on a seq of *closed* ports. In the second case, no combination of knocking on ports will open the ssh port. 5. "Ports that are closed but part of the knocking scheme would return a connection refused, while all the other (filtered) ports would simply be dropped" No - Your firewall will not REJECT the packets, it will DROP them, no differently to before port knocking. 6. "This isn't going to catch on. It's not more secure and it wastes more resources. Why would this be any more secure than listening on a single port for the "unique knock sequence?" Any good admin knows the most secure system is one that is listening on as few ports as possible." Missed the point completely. I will break it down; a. "This isn't going to catch on". Thanks Nostradamus, but it already has. b. "It's not more secure ..." Yes it is. Crudely, less open ports => more secure. c. "and it wastes more resources." - No. A watched series of ports takes barely more resources than `tail firewall.log|portknockingserver`, and many times less than are used when an attacker connects to an open port. d. "Why would this be any more secure than listening on a single port for the "unique knock sequence?" Because listening 'on a single port' would be either an open port, or opened by a port scan. e. "Any good admin knows the most secure system is one that is listening on as few ports as possible." Yay! you got one right. The word 'listening' is an unfortunate term for what port knocking servers do. 'Watching' would be better. They dont open any of the watched ports. 7. "i submit it could actually be less secure... 1. dos attacks! 2. sniff the port knocks" No - DOS requires that you (the attacker) consume resources on the target box to a point where services are denied to legit users. If a vicious level of port scans cannot DOS the firewall, then a well implemented port knocking server will not be easily tipped over by this. It has been shown that even in the middle of a DOS attack, a port knocking implementation will still open the ports for legit users, however there is one situation where you can replay packets to prevent a valid user getting an open port. SPA solves this issue. Sniffing the port knocks only gets you an open port ... you still need all the skill/luck to break (say) ssh once you get an open port, so it is no less secure than a web facing ssh port. In fact some implementations close the port after x failed attempts, so basically you are wrong. 8. (in reply to the suggestion to use one-time port sequences) "If you're going to go so far as to require a one-use pad, then you can forget about the whole "port knocking" concept -- there's no stronger password than a 1-use password." Missed the point. Port knocking mitigates zero-day security issues, like ping-of-death etc. Even the most simple port knock seq will protect you from portscan->automated hacks. No password - even shell=/dev/null - will protect you from that. The point is that of your ports are open, your pants are down. That pretty much wraps it up. MrKiwi,