"Port Knocking" For Added Security

Jeff writes "The process of Port Knocking is a way to allow only people who know the "secret knock" access to a certain port on a system. For example, if I wanted to connect via SSH to a server, I could build a backdoor on the server that does not directly listen on port 22 (or any port for that matter) until it detects connection attempts to closed ports 1026,1027,1029,1034,1026,1044 and 1035 in that sequence within 5 seconds, then listens on port 22 for a connection within 10 seconds. The web site explains it in some detail, and there is even an experimental perl implementation of it that is available for download. I can't think of any easy ways you could get around a system using this security method - let alone even know that a system is implementing it. Another article on port knocking is here."

not bad

[maelstrom (638)]

But it does seem like a layer of obscurity to what should otherwise be a secure port. What if someone is sniffing your network? Unlike an encrypted password, they could easily replay this sequence and gain access to your "hidden" port.

Re:not bad

[Kenja (541830)]

"But it does seem like a layer of obscurity to what should otherwise be a secure port. What if someone is sniffing your network? Unlike an encrypted password, they could easily replay this sequence and gain access to your "hidden" port."

And? It is still more secure. By using "port knocking" they HAVE to sniff out your network traffic and find the port combo. Without "port knocking" they just need to run nmap and see what ports they can try to attack.

Re:not bad

[ComputerSlicer23 (516509)]

But it's not as secure as not running SSH.

Hence, weather or not it is secure, is all a matter of opinion. Personally, I think if you can't run SSH out in the open, you shouldn't run it thru an obscurity filter.

We have no SSH configured on our outside network. Not with OTP, not from only allowed IP's. Not from only a specific port. Not with KnownHosts only. Not with known RSA keys only.

You want on, you've gotta be in the building. It'd be nice to fix problems while remote, but it's just not an option because of the security problems it presents. I live within a mile of the building, specifically so not having remote access isn't a big deal. I can go from sleeping in bed, to in the building in less then 10 minutes. It's a pain for small problems. However, it's small issue in comparison to dealing with a full blown network breakin due to SSH.

On occasion, I believe we have had someone local build an SSH tunnel that we can VPN thru onto our network. However, someone who already had access had to initiate the connection by hand with the correct IP. That's only allowed if we voice authenticate from you.

Kirby

Re:Promiscuous mode

[_Sharp'r_ (649297)]

Most switches have, uhh.... "features" that allow an experienced attacker to trick them into broadcasting traffic to multiple ports.

Essentially, with a little judicious arp spoofing and a flood or two, the switch can be confused into just "making sure" the packets get to the right destination by broadcasting like a hub when it would normally be switching.

Services listen on ports.

[khasim (1285)]

It isn't the port. It's the service listening on that port.

If the port is closed, then it is impossible to attack that service through that port.

This process closes those ports.

Re:not bad

[platypus (18156)]

Ok, let me rephrase what I wrote in another message.

Open ports per se are not insecure!

The whole point behind port knocking is the wrong impression that "open" ports are more insecure than "closed" ports. This is totally bogus.
It's about the applications behind the open ports, and it's not more complicated to write code which listens to a specific port and drops the connection if it doesn't recieve some secret number as the only payload of the first packet, than it is to write the kernel tcp/ip stack.

That brings me to another mantra

Kernel code is not intrinsically more secure than application level code!.

There are many examples for buggy and overflowing tcp/ip stacks (ping-o-death comes to mind if you're somewhat older).

Re:not bad

[LostCluster (625375)]

Think of it this way... it's an extra password combined with bonus security-by-obscurity of not having a visible password prompt.

The "knocking ports" could also be configured that if there are random hits to the standard port without the proper knock, the system could lock down for 30 seconds and even ignore the proper knock so that if somebody's trying to brute force all the possible knocks, they'll never get feedback when they have the right one.

Yeah, this is no substitute for properly securing the original service, but it's an extra layer that means there's even more that needs to be captured for a successful hack...

Not good

[glpierce (731733)]

"The "knocking ports" could also be configured that if there are random hits to the standard port without the proper knock, the system could lock down for 30 seconds and even ignore the proper knock so that if somebody's trying to brute force all the possible knocks, they'll never get feedback when they have the right one."

That would just create a new variant to DOS attacks. Instead of taking you offline, they just persistantly knock on random ports, thereby disabling your ability to communicate with trusted sources.

Re:not bad

[Jerf (17166)]

ignore the proper knock so that if somebody's trying to brute force all the possible knocks, they'll never get feedback when they have the right one.

Re "brute forcing"... the number of possible knocks is (ports used for knocking) ** (ports in knock sequence). Yes, that's exponentiation.

In fact, I'd suggest making the knock sequence much longer then in the article; ten might be good. Then, if you allocate 100 ports to the knocked and randomly select a 10 port sequence for the knocking, you get 100 ** 10 possible knocks, or 100,000,000,000,000,000,000 (100 sextillion) possible knocks.

With just a few more ports in the sequence and just a modest investment in ports, you can make brute forcing impossible.

(And if you mix up the ports so they aren't sequential and the attacker has to guess THOSE ports, it goes to approx. (2**16)**(number of knock), so for a 10-port sequence on potentially all TCP ports it's 1,461,501,637,330,902,918,203,684,832,716,283,019, 655,932,542,976 possible knocks, a.k.a. "way the hell more then can be brute-forced".

(I love posting big numbers on Slashdot.)

You need to worry about sniffers way more then brute forcers. (And as this is another layer of security, hopefully on top of an already fairly secure protocol like SSH, it's a good thing; now the 'man in the middle' has to have advanced knowlege to even know there's something to get into the middle of!)

Old Idea, Different Use

[jsonic (458317)]

The shady side of hackerdom has been using this very technique to hide their backdoors from port scanning admins. Or, uh, so I've heard...

not so shady...

[Hubert_Shrump (256081)]

i've been running SSH on a nonstandard port with this in the way:


iptables -N ${SSH_TABLE}
iptables -Z ${SSH_TABLE}
iptables -A ${SSH_TABLE} -m state --state NEW -m limit --limit 2/minute --limit-
burst 2 -j DROP
iptables -A ${SSH_TABLE} -m state --state NEW -m limit --limit 7/hour --limit-bu
rst 7 -j DROP
iptables -A ${SSH_TABLE} -m state --state NEW -m limit --limit 10/day --limit-bu
rst 10 -j ACCEPT
iptables -A ${SSH_TABLE} -j DROP


well, I thought it was cool...

Re:not bad

[26199 (577806)]

Hmm, lots of people have pointed this out, but it's easy to set up a system of one-time passwords... provided it's done in a cryptographically secure way, there's little point in sniffing for combinations.

Of course, you can still sniff to see what ports are actually in use...

My idea

[Catskul (323619)]

I though about this along time ago as a way of hiding a trojan. Of course I didnt patent it so no money for me : /

Easy enough...

[wishus (174405)]

I can't think of any easy ways you could get around a system using this security method - let alone even know that a system is implimenting it.

Sniffing.

Knock knock... who's there?

[bc90021 (43730)]

Knock knock...

Who's there?

Usher.

Usher who?

Usher wish I could SSH to your server!

Sorry... ;)

Before you complain about "Obscurity"

[pclminion (145572)]

This adds a layer of obscurity to a security policy. It can't substitute for security, but it certainly can help.

An analogy would be a military base with a ten-foot-thick steel blast door. This is like having a door that teleports around at random, which can only be frozen in one spot by speaking some magic word. Even if you know the word, you still don't have the key to the door. But if you do have the key, you still can't get in without the magic word because the door keeps teleporting around.

Obscurity is great, if it is part of a layered security policy which is ultimately based on strong cryptography. This is a really cool idea!

Obscurity IS Security

[CedgeS (159076)]

There is only one form of security for a publicly accessible interface: obscurity. What is a password? It is a piece of information that you know that someone else doesn't - it is obscurity. The key to your house is something you have that someone else doesn't. If they knew the obscure details of your key they could make one. What is a private key, a key for SSH, a kerberos function? They are all information you know which (hopefully) a potential attacker doesn't. This is obscurity.

If you have a security system for a public interface (the front door to your house, a computer port, etc...) that does not rely on obscurity you have a system better than any theoretical system anyone has ever thought of. (Biometrics don't count - they are just another piece of information that you have that someone else probably doesn't. That's obscurity.)

Re:Obscurity IS Security

[cheezit (133765)]

I think you are overreaching here. As far as I'm concerned, the phrase "security through obscurity" means obscurity of system design. If you don't tell anyone about your unprotected resource, that's security through obscurity. All I need to do is discover your resource.

Most security is based on secrets of one kind or another---that doesn't make it "obscurity."

Re:Obscurity IS Security

[Xenographic (557057)]

We usually call such a thing a secret, not "obscurity" ... at least, when talking about a password.

So this just makes part of the protocol secret, and one of our assumptions about security protocols is that the protocols are known.

Yes, it's an interesting and reasonably clever little hack (it is not, however, new), it does tend to hide some information (e.g. that the ports are even open) but if you're going to make the port look closed, anyhow, why not just listen on that port for something that would cause the service to "wake up"? I guess they thought it seemed a bit more clever the other way, who knows?

Old stuff

[Britz (170620)]

That is a very old method i developed with my friends. We would only open the door after a "secret" knock sequence. We had seen this on TV and thought this would be cool. We jeopardized the security regularly when we said "wrong knock" after someone else knocked. Usually parents. Then they would say "open up". And we had to comply.

Slashdotted?

[Fulkkari (603331)]

Is the site slashdotted...

...or do I have to knock my way in?

Silent Bob

[Sanity (1431)]

A few years ago Freenet implemented something similar to this called "Silent Bob". The name comes from Alice and Bob, the names given to sender and receiver respectively when describing cryptographic protocols.

The idea was that you didn't want to disclose that you were running a Freenet node unless the person connecting to you already knew your node's public key.

So when someone wants to establish a connection to you, they must send some encrypted data providing they know your public key. Your node can receive this data and only respond if it is correct. Furthermore, you could let your Freenet node sit on port 25, for example, and forward invalid connection attempts to a mail server on a different port.

Through this mechanism, your Freenet node could quite effectively hide behind another server, only making itself known to those already part of the Freenet network.

IIRC this wasn't actually implemented in Freenet, but it is the intention to add it at some point. Still, it is amazing how many ideas were pioneered by Freenet years ago and are only showing up in the wider public conciousness now.

NOT security through obscurity

[3Suns (250606)]

It should be noted that this is NOT (necessarily) an example of security through obscurity. One could treat the port-knocking sequence as a "key". Long enough keys could make port-scanning impossible for anyone who doesn't know the key. Real mathematical cryptography is based on a similar principle.

Also, this is only a defense against port-scanning. Even if someone did manage to break the knocking sequence, they would still have to use some kind of exploit against the machine on the port they discovered.

Possible problems

[Mr. McGibby (41471)]

What if multiple attempts from the same IP are made to access the port at the same time? Wouldn't the knocks get all mixed up?

Reverse-knock

[Seft (659449)]

Has anyone implemented a system where a service would be stopped if the ports next to it were scanned? i.e. if 1024, 1025, 1026, 1027 were scanned, a service running on 1028 would stop.

Security through obscurity

[Dominic_Mazzoni (125164)]

As everyone else is saying, this is just security by obscurity. That doesn't mean that you shouldn't use it, because it probably would help a lot in keeping out script kiddies and casual hackers. But the flip side, as always, is that you're giving yourself and your users a false sense of security when you pretend that measures like this will actually prevent motivated hackers from getting past it.

The most obvious way to break into a system like this is to compromise a nearby machine first and install a packet sniffer. Once you can see the traffic to the host running this port knocking system, it would be easy to discover the pattern. In fact, port knocking is less secure than a lot of other nonstandard authentication mechanisms because you could figure out the secret simply by looking at packet headers (since they contain the port numbers).

The other problem I see with this system is that it requires users to either memorize the secret knock, or use a program that automatically knocks for them. Since most people have a hard time even remembering all of their usernames and passwords, you'd see a lot of people writing down the knock, sending it via email, or writing scripts to knock for them. Dozens of opportunities to a hacker, especially one skilled in social engineering [amazon.com], to figure out the knock.

hmm...

[Kitsune (8349)]

Improperly done, the knock sentry could become a security/QOS issue in itself.

This definitely is security through obscurity and perhaps would work in the same way as a car alarm. There's lots more systems out there that are easier to break into, and if someone does try, just hope that they get fed up and moves on to the next one.

If you've gone this far, why not do something like they do on radio. Open up severable ports at the same time and multiplex your signal over several of them while sending noise over the ununsed ports randomly switching between ports using a syncronized random selector.

go a step further

[Casca (4032)]

Implement it in combination with a onetime type password arrangement. You look up what the series of knocks is supposed to be on your secureID card (or whatever), then knock in the combination it tells you to use. Tie it in with the server you want to get into, and the port you actually connect to for ssh can be different every time.

IE, secureID says sequence is "1234 1441 1114 5123", you knock on the first three, and 5123 is the ssh port activated for you only.

Knock Knock Honey Pot

[ifreakshow (613584)]

One interesting way to use this would be to forward incorrect knocks to a honeypot instead of the legitamite service. Then the attacker could never determine if he had indeed knocked successfully and would waste time running around in a fake system giving you valuable data about there intrusion methods and freeing up the actual service for legit users.

Christ people!

[Stonent1 (594886)]

How many people are going to say sniff and repeat the sequence. You still have to get through the service after it opens. The whole point is that they don't know what is going on in the first place. And rotating keys are a good idea anyway. I like this idea for running some kind of server behind your ISP that normally doesn't allow such things. When I had excite@home I would regularly get firewall logs that said "authorizedscan.home.com" portscanning me.

freq. hopping analogy-

[Samuel Nitzberg (317670)]

This looks similar to how frequency-hopping is used on secure radios.

Two radios synchronize, based on a key, and both change frequency every so many milliseconds. If you don't know the key, you can't send or receive to either of them.

I would like to see this extended to a port-hopping system for all ports and services. Sure -- it will burn some clock cycles, but I like the approach.

- Sam
http://www.iamsam.com

TCP/IP problems with this method.

[Vellmont (569020)]

Everyone has focused on the "does it make you more secure" arguments about this method. I'd be more interested in how it can be implemented properly since no TCP connection is being established using the knocks. I'd assume either a TCP SYN is being sent to the TCP ports, or the protocol uses UDP.

The problem is of course that since no connection is being established, there's no guaranteed delivery of packets, and no guaranteed delivery of packets in the order they were sent. This could be very problematic across network connections that drop packets, and provide you no feedback as to why you can't open your connection. If only 10 % of my packets get dropped, and I require 10 "knocks", I only have .9^10, or 35% chance of my sequence getting to its destination intact. 5% packet loss would up my chances to about 60%. Increasing amounts of knocks decreases my chances of the sequence arriving intact.

Is there a clever way to solve this problem, or is the reliability of it tied to a low amount of packet loss on a network?

It's _not_ just another password...

[jdreed1024 (443938)]

I see a lot of comments saying "Well, why not just have two passwords?". It seems that people didn't read the article (the first link is /.ed, the second is not). The whole point is that with this, until you knock, the machine appears as a closed machine. No ports open. All ports will simply drop packets on the floor, meaning that a hacker scanning your subnet will not bother with that machine. The machine essentially appears invisible until knocked. Even with the most secure system, the hacker can still see that you're running, say, sshd, Apache, CUPS, and a few other services. And if a buffer overflow was announced 5 minutes ago for, say, sshd, they know that they can attempt to exploit the machine, since they see port 22 open. If you are using Port Knocking, you can have a vulnerable sshd, and it's a hell of a lot less likely to get exploited since the cracker has no way of knowing that you're running sshd...

Stop complainin about "security through obscurity"

[Tom7 (102298)]

God damn, if I hear one more of you go, "this is just security through obscurity!" I am going to puke. This is the same as cleartext passwords, which are pretty secure if (a) you know nobody is sniffing the network and (b) you know nobody is masquerading as the host you want to connect to. Of course those things aren't typically true, so this alone isn't very secure. But it does disguise your exchange which, contrary to what the security-through-obscurity folks are saying, does give you some small measure of security.

This is just a way of encoding some bit transfer in the IP protocol instead of in the beginning of whatever protocol you're using after the connection. You could also use it to send cryptographic credentials which could be as secure as any other protocol (plus some extra security by obscurity). The only problem with that is that you need a way to send back information via TCP (because most good authentication protocols are two-way), but I think you need that anyway in order to serialize your knocks.

Re:Password

[26199 (577806)]

Except it hides that the port is open at all, which is useful.

Not the point

[s20451 (410424)]

come on kids. Have we not learned our lessons? Even as a one time pad, this is lame

You are very much missing the point. Yes, security through obscurity is terrible when it is the only security method you use. However, it can be used to augment a better security system. Even if somebody figured out the secret knock, they would still have to get past your sshd. And if an sshd exploit was found, your secret knock might give you enough time to patch the system before it could be exploited. More security is always a good thing.

Disbelief in security through obscurity doesn't mean you have to paint a bull's eye on your head and dare people to attack you.

Re:Brute Force

[HeghmoH (13204)]

Somebody do the math, but it doesn't look to be that secure. Brute-forcing this would not take long.

Assuming a 5 'letter' password, you have (2^16 - 1024)^5 possible passwords, which is 1.1 X 10^24. Assuming both the server and the attacker are on fat pipes and the server is implemented in a dumb way so that it doesn't recognize brute-force attempts, you could pull off perhaps 100 attempts per second. So it would take you about 10^22 seconds, or 350 trillion years.

In security, I think this technique is comparable to a reasonably strong plaintext password. It can be sniffed, but it can't really be brute-forced.

Today's show was brought to you by Google Calculator.

Re:Well, there go the logfiles

[aldousd666 (640240)]

It doesn't have to be listening on the 'knock' ports, it can be dropping the packets and either logging the drop or setting a flag via some daemon. There are a million ways to tell if someone attempted to access a closed port without having to open the port. All of this, by my calculation, makes port knocking indeed more secure.

Re:Well, there go the logfiles

[Smidge204 (605297)]

Or other problems to be seen, also now hackers won't just port scan me, they'll port scan me a trillion times, trying to find the right combination to open my ports.

And what stops them from brute-forcing regular password protected access on a known port?

1) You don't know how many ports are in the knock sequence
2) You don't know that the range is
3) You don't know what port will open when you get it right

Similar to a password, only instead of base 94 (a-z,A-Z,0-9`~-_=+\][|}{';":/.,?>million trillion trillion trials to crack. Then you have to do one more scan to figure out which port actually opened after each trial and hope no other service opened a port for some unrelated reason.

I'm thinking it's a tad more secure than password authentication alone... and you can always throw password auth in after the client connects, so you can throw in a few false-positives (bogus logins) to keep them busy.

And a five second window to transmit the sequence is pretty generous. If you wanted to harden it even more against brute forcing, you could require a full 5 second wait and accept all connection attempts from a particular host. That would limit an attacker to 20 attempts per minute max. So it'll take the better part of 32 billion trillion years to crack it.

At that point, you can consider the end of the universe as "The ultimate connection timeout"
=Smidge=

Re:Well, there go the logfiles

[Mod Me God (686647)]

That is the point.

1. Many ports getting a sequence is much more like noise than one port getting it -> much harder to identify an attempt of intrusion.

2. If you have a backdoor, as mentioned in the article, how will you know it has not been accessed? It was not listening, it gets activated, does its duty, deactivates. If it is a good backdoor it is invisible to that system (only visible though an additional layer).

So it is a better way of getting a connection, but not a solve-all for the intruder, and I doubt the intruder cares about any waste of your resources.

Re:Well, there go the logfiles

[pegr (46683)]

Any good admin knows the most secure system is one that is listening on as few ports as possible.


Is zero secure enough for you? The ports used for knocking are not open. The knock is the connect attempt which is recorded as an event on the server. The client gets nothing, not a NAK not a reset, nothing.

Re:Well, there go the logfiles

[diablobynight (646304)]

does it only open the port for that one IP somehow, using also advanced IP filtering, cause otherwise this is dumb, it would be like unlocking your door for the first customer to knock right, but having to leave it open the whole time the customer is shopping.

Re:Well, there go the logfiles

[S.Lemmon (147743)]

That doesn't seem right. If the order of the knocks is important, how do you get around that there's never a guarantee in what order network packets arrive? If no packets are sent back at all, how do you know when to send the next knock or even if the knock made it to the server?

Neither.

[khasim (1285)]

#1. DoS attacks - how is this different from any other DoS attack?

#2. Sniffing the port knocks - to do this, you would already have to have the upstream compromised or be on some shared network.

Re:Well, there go the logfiles

[RollingThunder (88952)]

Actually, an interesting potential of this is to have you "knock" at the NAT gateway. Proper knocking opens up a given service and knock ports to an internal system.

Different knock patterns at the NAT open you to different internal hosts. Quite interesting possibilities there.

Re:Well, there go the logfiles

[Esion Modnar (632431)]

Actually, I think this article has been one of the most "nerd-worthy" postings on Slashdot in quite a while...

And yes, one the most annoying things about sitting behind a NAT is only being able to forward a port to a single host at a time. This would be great if "port knocking" could solve this, though in a very Rube Goldberg fashion.

Re:Open a whole range of ports

[ViXX0r (188100)]

The summary says that the ports to knock on are closed. Portscanning shouldn't reveal which ones are available to be knocked on.

Re:Open a whole range of ports

[lactose99 (71132)]

That depends on the NAT gateway, as per the original poster. If the NAT gateway is dropping all packets that aren't part of a) valid incoming connections or b) a port knocking scheme, a portscan would reveal some or all of the ports utilized in the port knocking scheme. Ports that are closed but part of the knocking scheme would return a connection refused, while all the other (filtered) ports would simply be dropped.

Granted, most anyone implementing this sort of security setup on their firewall would most likely think about this and either a) open an entire range of ports, only some of which would be used for port knocking (as a previous poster mentioned) or b) simply close everything at the NAT gateway and not drop any packets, thereby not revealing any detail regarding a port knocking scheme.

I'm sure there are several other ways to deal with this at a NAT gateway, but they just aren't coming to mind at the moment.

Re:Well, there go the logfiles

[3.1415926535 (243140)]

How about, "Yeah, NAT breaks stuff, let's fix it" instead?

Re:Equivalent to a password

[pla (258480)]

This is equivalent to to putting a password on access to the port.

This seems much better than a password, I would think (Though I certainly would still use a password as well).

As an analogy, if you want to get into a house, and find a locked door, you have a few options... You can try one of those M x N position key blanks, which will take a very very long time (exhaustive search). You can try to pick it (exploit a weakness in the password algorithm). You can try to get ahold of a copy of the real key (packet sniffing, "shoulder surfing", etc). But you have no doubt that somewhere, a key exists that will open that door.

Now compare that to a solid block of concrete, roughly the size of a house. What does it do? Do helicopters land on it? Does it cover something, or hold something down? Does it have something sealed inside it? You'd never suspect that that, if you utter the magic phrase "Sim sala bim bamba sala do saladim", a door will appear in the side of this large concrete block, allowing those with a key to gain entrance.

The main difference involves knowing whether or not a way in exists. With just a passworded port, an attacker knows that enough effort will pay off. Adding in port knocking, that attacker doesn't know whether or not their hard work can ever gain them entrance, since a port might well not exist.


Now, in my opinion, the more interesting question here involves how to hide this from one's ISP (ie, make it snoop-proof).