"Port Knocking" For Added Security

Jeff writes "The process of Port Knocking is a way to allow only people who know the "secret knock" access to a certain port on a system. For example, if I wanted to connect via SSH to a server, I could build a backdoor on the server that does not directly listen on port 22 (or any port for that matter) until it detects connection attempts to closed ports 1026,1027,1029,1034,1026,1044 and 1035 in that sequence within 5 seconds, then listens on port 22 for a connection within 10 seconds. The web site explains it in some detail, and there is even an experimental perl implementation of it that is available for download. I can't think of any easy ways you could get around a system using this security method - let alone even know that a system is implementing it. Another article on port knocking is here."

huff and puff

[tombou]

little pig little pig...

let me in

Beavis?

[tommck]

Am I the only one who heard Beavis say "Port Knocker!"?

Probably...

Knock knock... who's there?

[bc90021]

Knock knock...

Who's there?

Usher.

Usher who?

Usher wish I could SSH to your server!

Sorry... ;)

Old stuff

[Britz]

That is a very old method i developed with my friends. We would only open the door after a "secret" knock sequence. We had seen this on TV and thought this would be cool. We jeopardized the security regularly when we said "wrong knock" after someone else knocked. Usually parents. Then they would say "open up". And we had to comply.

Slashdotted?

[Fulkkari]

Is the site slashdotted...

...or do I have to knock my way in?

Re:Before you complain about "Obscurity"

[Anonymous Coward]

That was, quite possibly, the greatest analogy in the history of /.

Port knocking IS Patriotic: +1, Hilarious

[Anonymous Coward]

Before you Slashdot about "port knocking", please
send your text through a spellchecker.

"implimenting" should read "implementing".

Remember, the "President" [whitehouse.org]
was AWOL [calpundit.com]

Regards,
Kilgore

"Port Knocking"

[Unknown Kadath]

It sounds like a euphemism for something obscene. I bet it's illegal in Texas.

-Carolyn

Re:Before you complain about "Obscurity"

[skiflyer]

It's called a secret knock and that's the best analogy you could come up with? Perhaps it's more like a ten-foot-thick steel blast door, but you can't even see the keyhole unless you knock on it just the right way?

Slashdotted

[BlueTooth]

Does anyone know the secret knock for www.portknocking.org:80 ?

Thanks.

Re:not bad

[tommck]

Rather than sniffing her network and replaying sequences, why not just buy her dinner to gain access to her "hidden port"?

Web site is "knocked" down

[unigeek]

Looks like someone knocked on the wrong port. I believe the idea is to hit a few different ports and then go the secretly opening door. However the technique known as "slashdotting" where the sequence looks sort of like

site up

knock 80

knock 80

knock 80

.. (knock 80 about 3 million times in two mintues)

site down

Re:Easy enough...

[Patrik_AKA_RedX]

If you had access to the machine it was running on, then why would you even care about getting access anymore?

Well, If you happen to be a trojan, you could log all those secret knocks and do trojan horse stuff with it.

Re:Oh, really.

[srmalloy]

I predict a flood of commenters whining about this being "security through obscurity."

Well, it worked reasonably well for the speakeasies during Prohibition. Unfortunately, the FBI's DOS attacks were also more effective then...

Re:not bad

[C10H14N2]

Great. Just what you want to do is hard-code a quicker way to DoS you system.

TERRIFIC.

This will be used only on systems storing highly sensitive Star Trek Fan-fiction.

Re:not bad

[pclminion]

In a way it does. It firsts asks for a username, and then a password. If one of them is incorrect, you don't get access. But SSH doesn't tell you which one was incorrect.

This reminds me of a cgi driven website I visited a loooong time ago (1996?)

I was creating a user account, and was using the password "beelzebub". However, the system refused to let me create the account. It displayed a page which stated "That password is invalid: It is being used by another user. Please select a unique password."

Apparently, some genius thought it was good security to ensure that no two users had the same password. I hope you can see the intrinsic flaw in this :-)

B&B

[jafiwam]

Butthead: "Uhhhha, I am gonna emale you....in the butt.

Beavis: "Shutup! Port-knocker!

Re:Well, there go the logfiles

[NanoGator]

"Yeah, NAT breaks stuff, get used to it."

Shat up, port knocker. /Beavis Voice

Fine Idea

[Anonymous Coward]

Fine Idea! ... now someone just needs to develop a way to leave a "virtual bag of flaming poo" at one of your ports.

Re:Well, there go the logfiles

[Anonymous Coward]

which do you think you're more likely to hit on the first try?

YOUR FACE