Combining Port Knocking With OS Fingerprinting 154
michaelrash writes "Port knocking implementations are on the rise. I have just released fwknop; (the Firewall Knock Operator) at DEF CON 12. Fwknop implements both shared and encrypted knock sequences, but with a twist; it combines knock sequences with passive operating system fingerprints derived from p0f. This makes it possible to allow, say, only Linux systems to connect to your SSH daemon. Fwknop is based entirely around iptables log messages and so does not require a separate packet capture library. Also, at the Black Hat Briefings, David Worth has released a cryptographic port knock implementation based around one-time pads."
How much more is needed? (Score:2, Insightful)
The more complicated you make it, (Score:5, Insightful)
Re:It's kinda cool (Score:3, Insightful)
it seems like a fad, and of course the authors of such programs will defend its usefulness.
my opinion is that this technique is not new, and hackers have been using very similiar things for decades.
and since he mentioned defcon, oh boy has that hacking con gone down hill. Bugs are just not as easy to find now days so the bar has been raised for h4x0rs.
Port knocking, firewalls, DMZs,... (Score:4, Insightful)
I realize the need for these things, basically forced upon us by the combination of commercial interests, shitty insecure OS, script kiddies and greedy crackers (not hackers), but all the same, I can't help realize that the internet of today is a far cry from what it was intended to be in terms of freedom of communication...
Security Through Obscurity (Score:4, Insightful)
And even if you don't want others to see that there are services running on your host there are better solutions. e.g. sending a special string to some UDP port.
If someone can sniff your traffic and he knows about portknocking it's trivial for him to detect it. If someone can't sniff your traffic there's no advantage in using portknocking.
Re:Port knocking, firewalls, DMZs,... (Score:5, Insightful)
I can't help realize that the internet of today is a far cry from what it was intended to be in terms of freedom of communication
Um...wasn't the internet born at the department of defense? Awfully nice of them, to make this huge network for freedom of communication.
Oh, wait, that's not what it was intended for. It was intended to be a network of communication, built to survive outages of several large nodes, in case of a nuclear attack. It's only been as more and more people began romaticising it, that we've come up with this free communications thing.
While I'm not apposed to it, I am realistic about it. Would you leave your car, complete with keys, parked in a stadium parking lot, with an open door, and a sign stuck on the steering wheel saying, "Please don't take"? That's essentially what you do with your computer when you go online without any sort of protection ( short of the sign, mind you ).
Re:Security Through Obscurity (Score:4, Insightful)
Port knocking buys you the time between a new ssh exploit and the fix. It significantly reduces the chance of being found by portscanners and therefore of being hacked. You still have to fix ssh though.
Re:Port knocking, firewalls, DMZs,... (Score:3, Insightful)
I have a private server I use for e-mail, irc, and as a convenient, central location to store files. I have no interest in making this server public--it's only on the Internet because to set up a dedicated line to it would be prohibitively expensive. I don't even want people to know the server is there, and if they do find out it's there, I want security to be as tight as possible. Port knocking, in a way, helps to meet my goals. If I was required to let anyone onto my server, I would take it down, which would be the loss of a private asset.
But that doesn't mean you're not right, in a way. The problem with the world today is that it runs on money. Very little is free. Even some HTTP is pay-per, and that's just the way it is until someone finds a way to pay the bills without milking the customer.
Re:Port knocking, firewalls, DMZs,... (Score:5, Insightful)
I think the majority of people - geeks included, but not to the exclusion of everyone else - think the internet, on the whole, is performing fairly reasonably. Just like in reality, when you have a small group of people working together, issues of trust are much easier to deal with compared to working with hundreds of millions of people.
Blaming "commercial interests, shitty insecure OS,
Soon enough, the Internet would be compartmentalized exactly the way you fear - into groups of like-minded people instead.
The Internet isn't supposed to be utopia. It was about making resources easier to access and it does that job amazingly well, given the imperfect people using it.
Re:Security Through Obscurity (Score:2, Insightful)
Watching the logs.. (Score:3, Insightful)
Use the recent match module and something like the following for requiring ports 1000, 2000 and 3000 to be knocked in order and within 30 seconds before allowing ssh from a particular host: Now you don't have to clutter the system with logs and a daemon that may run into trouble.
Re:The more complicated you make it, (Score:2, Insightful)
Now look at the complexity and functionality of SSH, and its share of security problems over the past years.
Then look at port knockers, their simplicity and minimal reliance on bloated libraries. Note they only use a single, simplistic - but cryptographically proven - authentication scheme based on things such as basic symmetric ciphers or one-way shortcut functions, with implementations that could hardly go wrong.
The whole point is, SSH and many other complex services have proven to be not reliable and secure enough to be left open wide without losing sleep over it. Protecting them with a simple and secure solution consisting only of dozens or hundreds lines of code makes sense.
Re:It's kinda cool (Score:5, Insightful)
Only in the same sense that passwords are security through obscurity.
Right combination of keystrokes, right combination of ports to knock, these sound very similar to me.
LK
Re:It's kinda cool (Score:5, Insightful)
The primary purpose of port knocking is to hide the fact that you have open ports to begin with. You don't want to have those ports unprotected once the right knock sequence is in place. You want both password/challenge AND port knocking so no active scanner detects your open ports.
Re:Security Through Obscurity (Score:1, Insightful)
Security through obscurity is valid in some case, when the obscurity is deep enough that guessing in the dark is time expensive and must be repeated for each intrusion, and simple enough for the user. For example a security based on hiding logic only needs 1 successfull attempt to be broken (guess the logic and the security is broken until changed, which is not simple), and using a weak password is not time expensive to crack, so both are not valid use of StO.
In the case of port knocking, since it's based on a port sequence, it's analogue to a password, which means that it depends on the user choice of a good sequence (i.e. not trivial).
If you're concerned about the safety of the communication channel, The same problem arises also with traditionnal passwords. Then using One Time Pads (as suggested by the article) solves this problem.
Re:How much more is needed? (Score:2, Insightful)
Re:It's kinda cool (Score:5, Insightful)
The only time that "security through obscurity" is wrong is if that is your entire approach to security.
Even if you have the latest and greatest copy of the most secure software written to perform some service, there is always a possibility that there is something exploitable that is yet unknown.
Port knocking is an excellent way to greatly reduce the probability that someone will be able to use a newly discovered exploit from using it against your server before an update is available to fix the exploit.
Of course, if someone is in the right place and can monitor the network traffic from another computer somewhere along the path, they can discover the port knocking sequence. For that reason, you still need your normal security and you still need to keep the patches up to date.
But the result will still be a vastly improved possibility of avoiding an attack when a vulnerability is found.
Re:How much more is needed? (Score:2, Insightful)
They Will Never Know (Score:3, Insightful)
They will never know.
Unless... they see their logs.
Your ISP may not be able to directly open your ports but they have to receive, handle and send every single inbound and outbound IP packet of yours, each of them containing source and destination port numbers.
If they don't know the easiest way to see whether you run any servers by just observing port numbers in your traffic, then, if I were you, I wouldn't want such imbeciles for my ISP.