"Port Knocking" For Added Security 950
Jeff writes "The process of Port Knocking is a way to allow only people who know the "secret knock" access to a certain port on a system. For example, if I wanted to connect via SSH to a server, I could build a backdoor on the server that does not directly listen on port 22 (or any port for that matter) until it detects connection attempts to closed ports 1026,1027,1029,1034,1026,1044 and 1035 in that sequence within 5 seconds, then listens on port 22 for a connection within 10 seconds.
The web site explains it in some detail, and there is even an experimental perl implementation of it that is available for download. I can't think of any easy ways you could get around a system using this security method - let alone even know that a system is implementing it.
Another article on port knocking is here."
Well, there go the logfiles (Score:4, Insightful)
Re:Well, there go the logfiles (Score:3, Insightful)
Re:Well, there go the logfiles (Score:5, Interesting)
Different knock patterns at the NAT open you to different internal hosts. Quite interesting possibilities there.
Re:Well, there go the logfiles (Score:5, Interesting)
This can be done dynamically as a form of load balancing which is a neat hack. Expire the specific forward rule after 30s or something. Means similar requests cluster - less DB traffic.
But, combine this with knocking and you've got the next step. Secret services on a 'stealthed' IP, where you can request which quake server (for instance) by knocking in a different way.
Port scanning isn't what it once was. Especially once you factor in time-sensitive keys (easily doable - both machines need a net connect to reach each other, ntp is then trivial) and ID-sensitive keys (so my key isn't like yours, even at the same time). Even if you managed to snoop on a 'knock' you couldn't repeat it.
Re:Well, there go the logfiles (Score:5, Insightful)
And yes, one the most annoying things about sitting behind a NAT is only being able to forward a port to a single host at a time. This would be great if "port knocking" could solve this, though in a very Rube Goldberg fashion.
Re:Open a whole range of ports (Score:5, Informative)
Re:Open a whole range of ports (Score:5, Insightful)
Granted, most anyone implementing this sort of security setup on their firewall would most likely think about this and either a) open an entire range of ports, only some of which would be used for port knocking (as a previous poster mentioned) or b) simply close everything at the NAT gateway and not drop any packets, thereby not revealing any detail regarding a port knocking scheme.
I'm sure there are several other ways to deal with this at a NAT gateway, but they just aren't coming to mind at the moment.
Re:Open a whole range of ports (Score:5, Insightful)
No, the gateway or direct host has ALL PORTS CLOSED, however it does log port requests. If the log shows the knocking sequence, then and only then, will it open a port.
Re:Open a whole range of ports (Score:4, Interesting)
Sorry, wrong. There are several messages in this thread that mention REJECT (response to packet) instead of DROP (total silence). With this scheme in place, you need not listen on *any* ports, and you need not respond in any way. You can have a totally silent box, even with 10 or 20 services "listening". Nothing gets through until your iptables/ipchains software allows the traffic through.
Admittedly, if you're running a public site, you're mixing two kinds of solution --- publicly available vs secured, but analogous statements can be made here - you can't tell a public site using port knocking for some special services from a public site that doesn't support same.
This is like a void fn() in C (no return status). You knock on the 5, 10, or 25 ports in the right sequence to "send your message". You get nothing back. You then try to open the port that is your ultimate destination - if it's open, you're fine, if it's not, you have issues. This isn't a full-duplex kind of protocol, folks. I love it :-)
Thus, it is impossible to distinguish a totally silent box (listening on no ports, dropping all packets) that has implemented port knocking from a box that is merely totally silent.
As a two-laptop user who attaches to corporate LANs and public high-speed networks in hotels, I just love the idea of having all packets dropped until someone sends "shave & a haircut!" - then letting them in for a bit.
It would certainly be better than my current approach - using ethernet addresses (maclist in Shorewall! :-) to allow ftp and http etc to my linux box.
Re:Well, there go the logfiles (Score:5, Insightful)
Re:Well, there go the logfiles (Score:5, Interesting)
Re:Well, there go the logfiles (Score:5, Insightful)
And what stops them from brute-forcing regular password protected access on a known port?
1) You don't know how many ports are in the knock sequence
2) You don't know that the range is
3) You don't know what port will open when you get it right
Similar to a password, only instead of base 94 (a-z,A-Z,0-9`~-_=+\][|}{';":/.,?>million trillion trillion trials to crack. Then you have to do one more scan to figure out which port actually opened after each trial and hope no other service opened a port for some unrelated reason.
I'm thinking it's a tad more secure than password authentication alone... and you can always throw password auth in after the client connects, so you can throw in a few false-positives (bogus logins) to keep them busy.
And a five second window to transmit the sequence is pretty generous. If you wanted to harden it even more against brute forcing, you could require a full 5 second wait and accept all connection attempts from a particular host. That would limit an attacker to 20 attempts per minute max. So it'll take the better part of 32 billion trillion years to crack it.
At that point, you can consider the end of the universe as "The ultimate connection timeout"
=Smidge=
Re:Well, there go the logfiles (Score:4, Insightful)
It should give you less irritation as an admin, when portscans reveal that every port on your computer is closed, and they go find another target, wondering why you bothered buying a firewall if you seemingly haven't configured it to accept connections.
A recent nanog (was it nanog?) flamewar mentioned that people ran their servers on non-standard ports and they considered it really secure. Why? Because the viruses only scan one port, and choosing a different one gives you a lot of time to take stock when a vulnerability/virus pair is announced.
It's obscurity (as a first layer of defence), but it means that an "nmap * -p 22" won't find your server, and anyone running the full scan of 64K ports over the internet is making themselves a lot more visible, and a lot slower.
Re:Well, there go the logfiles (Score:5, Interesting)
1. Many ports getting a sequence is much more like noise than one port getting it -> much harder to identify an attempt of intrusion.
2. If you have a backdoor, as mentioned in the article, how will you know it has not been accessed? It was not listening, it gets activated, does its duty, deactivates. If it is a good backdoor it is invisible to that system (only visible though an additional layer).
So it is a better way of getting a connection, but not a solve-all for the intruder, and I doubt the intruder cares about any waste of your resources.
Re:Well, there go the logfiles (Score:5, Informative)
Is zero secure enough for you? The ports used for knocking are not open. The knock is the connect attempt which is recorded as an event on the server. The client gets nothing, not a NAK not a reset, nothing.
Re:Well, there go the logfiles (Score:5, Interesting)
Re:Well, there go the logfiles (Score:5, Informative)
When a process is listening for new connections, it doesn't block existing connections from carrying on sending and receving data
When a port is 'connected', it means that a process has an established connection to another host.
Therefore, no, just because a port is not listening/open, doesn't prevent an existing connection from sending and receiving data.
If that was the case, then the first person to telnet/ssh to your box would tie up that port and a second connection would be blocked until the first had freed up the port, however that is not what happens at all.
All they're saying is that when the portknocking daemon detected the correct knock sequence on closed ports, it starts a process to LISTEN for new connections, ideally from just the host that did the knocking, for a limited period of time (10 seconds). Once a TCP connection is established with the listening host, that host no longer needs to listen, and that's why it stops after 10 seconds.
Re:Well, there go the logfiles (Score:5, Interesting)
Re:Well, there go the logfiles (Score:3, Insightful)
I Disagree. If someone sniffs the knocks, they still have to authenticate to whatever application gets opened up. So, for a sniffer, this may not be very effective (at the worst case, it's no different than what you had before). But for a hacker across the net who wants to get at ssh, this effectively locks them out.
Neither. (Score:5, Insightful)
#2. Sniffing the port knocks - to do this, you would already have to have the upstream compromised or be on some shared network.
not bad (Score:5, Insightful)
Re:not bad (Score:5, Interesting)
And? It is still more secure. By using "port knocking" they HAVE to sniff out your network traffic and find the port combo. Without "port knocking" they just need to run nmap and see what ports they can try to attack.
A Question about packet sniffing (Score:3, Interesting)
Wouldn't he have had to hack a computer closer to his target in order to be successful?
Wouldn't the best option be to have some type of SecurID based password in order to access the port? Unless there is a bug or
Re:Promiscuous mode (Score:3, Informative)
Not if your network is using a wired switch to connect the hosts. By definition, you should only see broadcast and unicast to your IP, not the whole network. This could be more of an issue if you are using a shared network link 10base2 or 802.11.
Re:Promiscuous mode (Score:5, Informative)
Essentially, with a little judicious arp spoofing and a flood or two, the switch can be confused into just "making sure" the packets get to the right destination by broadcasting like a hub when it would normally be switching.
Re:not bad (Score:5, Informative)
Hence, weather or not it is secure, is all a matter of opinion. Personally, I think if you can't run SSH out in the open, you shouldn't run it thru an obscurity filter.
We have no SSH configured on our outside network. Not with OTP, not from only allowed IP's. Not from only a specific port. Not with KnownHosts only. Not with known RSA keys only.
You want on, you've gotta be in the building. It'd be nice to fix problems while remote, but it's just not an option because of the security problems it presents. I live within a mile of the building, specifically so not having remote access isn't a big deal. I can go from sleeping in bed, to in the building in less then 10 minutes. It's a pain for small problems. However, it's small issue in comparison to dealing with a full blown network breakin due to SSH.
On occasion, I believe we have had someone local build an SSH tunnel that we can VPN thru onto our network. However, someone who already had access had to initiate the connection by hand with the correct IP. That's only allowed if we voice authenticate from you.
Kirby
Re:not bad (Score:4, Interesting)
In a way it does. It firsts asks for a username, and then a password. If one of them is incorrect, you don't get access. But SSH doesn't tell you which one was incorrect.
Port knocking is very similar (but not exactly the same). You need to have both keys (port combination) and login info in order to get access.
The difference is, without the port combinations, you can't tell if the service is up, or your port combination is wrong.
Re:not bad (Score:5, Insightful)
Open ports per se are not insecure!
The whole point behind port knocking is the wrong impression that "open" ports are more insecure than "closed" ports. This is totally bogus.
It's about the applications behind the open ports, and it's not more complicated to write code which listens to a specific port and drops the connection if it doesn't recieve some secret number as the only payload of the first packet, than it is to write the kernel tcp/ip stack.
That brings me to another mantra
Kernel code is not intrinsically more secure than application level code!.
There are many examples for buggy and overflowing tcp/ip stacks (ping-o-death comes to mind if you're somewhat older).
Re:not bad (Score:5, Insightful)
No it isn't. A closed port does not accept any data, therefore you cannot attack the application "behind it". A port that is open is only as secure as the application listening on that port, which AT BEST is as secure as a closed port, assuming the listening service is absolutely perfect, and has no flaws whatsoever.
There does seem to be some confusion as to what it means for a port to be "closed", judging from most of the posts I've seen so far. You can close a port, but send "connection denied" replies to anyone trying to connect. This makes the port itself safe, but tells the attacker that there is in fact a machine there on the network (which could be a reason for an attacker to continue to probe and/or attack you in other ways). You can also close the port by not responding to anything directed at it at all. If *all* of your ports are like this, an attacker won't even know if your machine is turned on or off, or if there's even a machine there at all. In a way, you've become invisible. Ideally, that's what you want. Port knocking is simply a way to allow your machine to be invisible while still being able to initiate connections to it from arbitrary IPs.
Re:not bad (Score:4, Informative)
Re:not bad (Score:5, Funny)
This reminds me of a cgi driven website I visited a loooong time ago (1996?)
I was creating a user account, and was using the password "beelzebub". However, the system refused to let me create the account. It displayed a page which stated "That password is invalid: It is being used by another user. Please select a unique password."
Apparently, some genius thought it was good security to ensure that no two users had the same password. I hope you can see the intrinsic flaw in this :-)
Services listen on ports. (Score:5, Insightful)
If the port is closed, then it is impossible to attack that service through that port.
This process closes those ports.
Re:not bad (Score:5, Interesting)
The "knocking ports" could also be configured that if there are random hits to the standard port without the proper knock, the system could lock down for 30 seconds and even ignore the proper knock so that if somebody's trying to brute force all the possible knocks, they'll never get feedback when they have the right one.
Yeah, this is no substitute for properly securing the original service, but it's an extra layer that means there's even more that needs to be captured for a successful hack...
Not good (Score:5, Insightful)
That would just create a new variant to DOS attacks. Instead of taking you offline, they just persistantly knock on random ports, thereby disabling your ability to communicate with trusted sources.
Re:Not good (Score:5, Informative)
So how does this cause a DoS?
The ports being knocked are closed. This means that the server can never veify the the knocks coming from 192.168.0.3 are really coming from there, or if they're coming from 192.168.0.2.
If the server is
Re:not bad (Score:5, Interesting)
Re "brute forcing"... the number of possible knocks is (ports used for knocking) ** (ports in knock sequence). Yes, that's exponentiation.
In fact, I'd suggest making the knock sequence much longer then in the article; ten might be good. Then, if you allocate 100 ports to the knocked and randomly select a 10 port sequence for the knocking, you get 100 ** 10 possible knocks, or 100,000,000,000,000,000,000 (100 sextillion) possible knocks.
With just a few more ports in the sequence and just a modest investment in ports, you can make brute forcing impossible.
(And if you mix up the ports so they aren't sequential and the attacker has to guess THOSE ports, it goes to approx. (2**16)**(number of knock), so for a 10-port sequence on potentially all TCP ports it's 1,461,501,637,330,902,918,203,684,832,716,283,019
(I love posting big numbers on Slashdot.)
You need to worry about sniffers way more then brute forcers. (And as this is another layer of security, hopefully on top of an already fairly secure protocol like SSH, it's a good thing; now the 'man in the middle' has to have advanced knowlege to even know there's something to get into the middle of!)
Re:not bad (Score:4, Insightful)
And this number is only relevant if the attempted cracker knows your knock sequence is exactly 10 ports long. Add or subtract a couple steps from the sequence, and the number of possibilities increases factorially.
Old Idea, Different Use (Score:5, Informative)
not so shady... (Score:5, Interesting)
iptables -N ${SSH_TABLE}
iptables -Z ${SSH_TABLE}
iptables -A ${SSH_TABLE} -m state --state NEW -m limit --limit 2/minute --limit-
burst 2 -j DROP
iptables -A ${SSH_TABLE} -m state --state NEW -m limit --limit 7/hour --limit-bu
rst 7 -j DROP
iptables -A ${SSH_TABLE} -m state --state NEW -m limit --limit 10/day --limit-bu
rst 10 -j ACCEPT
iptables -A ${SSH_TABLE} -j DROP
well, I thought it was cool...
Re:not bad (Score:3, Informative)
But I don't think the intent is to prevent people sofisticated enough to actually sniff packets from being able to enter the network, but simply stop script kiddies and worms that are rather mindless in their attacks. I am not aware of any worms that would be able to sniff packets and actually interpret what is happening.
Re:not bad (Score:3, Interesting)
No, if you were "super paranoid" you'd have two identical one-time pads, one residing on the computer to be accessed, one in the hands of a single person trying to connect.
Every minute, the computer would consult its copy of the pad to determine what that minute's secret knock sequence would be.
The person connecting would look up in his copy of the pad that minute's sequence. You'd need to synchronize both part
Re:not bad (Score:5, Interesting)
Hmm, lots of people have pointed this out, but it's easy to set up a system of one-time passwords... provided it's done in a cryptographically secure way, there's little point in sniffing for combinations.
Of course, you can still sniff to see what ports are actually in use...
Re:not bad (Score:3, Informative)
Re:not bad (Score:3, Funny)
My idea (Score:5, Interesting)
Beavis? (Score:3, Funny)
Probably...
Easy enough... (Score:5, Insightful)
Sniffing.
Worse? (Score:4, Interesting)
Knock knock... who's there? (Score:5, Funny)
Who's there?
Usher.
Usher who?
Usher wish I could SSH to your server!
Sorry...
One-time port knocking? (Score:3, Interesting)
Before you complain about "Obscurity" (Score:5, Insightful)
An analogy would be a military base with a ten-foot-thick steel blast door. This is like having a door that teleports around at random, which can only be frozen in one spot by speaking some magic word. Even if you know the word, you still don't have the key to the door. But if you do have the key, you still can't get in without the magic word because the door keeps teleporting around.
Obscurity is great, if it is part of a layered security policy which is ultimately based on strong cryptography. This is a really cool idea!
Re:Before you complain about "Obscurity" (Score:3, Funny)
Obscurity IS Security (Score:5, Insightful)
If you have a security system for a public interface (the front door to your house, a computer port, etc...) that does not rely on obscurity you have a system better than any theoretical system anyone has ever thought of. (Biometrics don't count - they are just another piece of information that you have that someone else probably doesn't. That's obscurity.)
Re:Obscurity IS Security (Score:5, Insightful)
Most security is based on secrets of one kind or another---that doesn't make it "obscurity."
Re:Obscurity IS Security (Score:5, Insightful)
So this just makes part of the protocol secret, and one of our assumptions about security protocols is that the protocols are known.
Yes, it's an interesting and reasonably clever little hack (it is not, however, new), it does tend to hide some information (e.g. that the ports are even open) but if you're going to make the port look closed, anyhow, why not just listen on that port for something that would cause the service to "wake up"? I guess they thought it seemed a bit more clever the other way, who knows?
Old stuff (Score:5, Funny)
Equivalent to a password (Score:4, Interesting)
Ideally, the implementation will only consider connection attempts originating from the same IP address.
Re:Equivalent to a password (Score:5, Interesting)
This seems much better than a password, I would think (Though I certainly would still use a password as well).
As an analogy, if you want to get into a house, and find a locked door, you have a few options... You can try one of those M x N position key blanks, which will take a very very long time (exhaustive search). You can try to pick it (exploit a weakness in the password algorithm). You can try to get ahold of a copy of the real key (packet sniffing, "shoulder surfing", etc). But you have no doubt that somewhere, a key exists that will open that door.
Now compare that to a solid block of concrete, roughly the size of a house. What does it do? Do helicopters land on it? Does it cover something, or hold something down? Does it have something sealed inside it? You'd never suspect that that, if you utter the magic phrase "Sim sala bim bamba sala do saladim", a door will appear in the side of this large concrete block, allowing those with a key to gain entrance.
The main difference involves knowing whether or not a way in exists. With just a passworded port, an attacker knows that enough effort will pay off. Adding in port knocking, that attacker doesn't know whether or not their hard work can ever gain them entrance, since a port might well not exist.
Now, in my opinion, the more interesting question here involves how to hide this from one's ISP (ie, make it snoop-proof).
I see an easy way (Score:4, Insightful)
This is still an interesting idea and definitely has at least a few places in which it would be an effective authentication mechanism.
Re:I see an easy way (Score:3, Informative)
And if you track the source IP it is trivial to only allow connections from that IP to the server.
easy way to secure (Score:4, Informative)
Re:I see an easy way (Score:3, Informative)
And the packet sniffer wouldn't be required at all if the port was just open to everyone all the time.
Slashdotted? (Score:5, Funny)
Is the site slashdotted...
...or do I have to knock my way in?
Silent Bob (Score:5, Informative)
The idea was that you didn't want to disclose that you were running a Freenet node unless the person connecting to you already knew your node's public key.
So when someone wants to establish a connection to you, they must send some encrypted data providing they know your public key. Your node can receive this data and only respond if it is correct. Furthermore, you could let your Freenet node sit on port 25, for example, and forward invalid connection attempts to a mail server on a different port.
Through this mechanism, your Freenet node could quite effectively hide behind another server, only making itself known to those already part of the Freenet network.
IIRC this wasn't actually implemented in Freenet, but it is the intention to add it at some point. Still, it is amazing how many ideas were pioneered by Freenet years ago and are only showing up in the wider public conciousness now.
NOT security through obscurity (Score:5, Interesting)
Also, this is only a defense against port-scanning. Even if someone did manage to break the knocking sequence, they would still have to use some kind of exploit against the machine on the port they discovered.
Possible problems (Score:5, Interesting)
Re:Possible problems (Score:3, Interesting)
Great for SSH (Score:3, Interesting)
OpenSSH is a great peice of sodtware - but it's so huge that I can't help but think that their could be flaws in it (like the one of 6 months ago)
I would love to layer another peice of security infront of OpenSSH and this seems like a great idea.
Reverse-knock (Score:5, Interesting)
Implementations? (Score:3, Interesting)
Of course, this won't take off unless there's also knocking support built into the clients (like ssh).
Security through obscurity (Score:5, Insightful)
The most obvious way to break into a system like this is to compromise a nearby machine first and install a packet sniffer. Once you can see the traffic to the host running this port knocking system, it would be easy to discover the pattern. In fact, port knocking is less secure than a lot of other nonstandard authentication mechanisms because you could figure out the secret simply by looking at packet headers (since they contain the port numbers).
The other problem I see with this system is that it requires users to either memorize the secret knock, or use a program that automatically knocks for them. Since most people have a hard time even remembering all of their usernames and passwords, you'd see a lot of people writing down the knock, sending it via email, or writing scripts to knock for them. Dozens of opportunities to a hacker, especially one skilled in social engineering [amazon.com], to figure out the knock.
Re:Security through obscurity (Score:3, Insightful)
The vast majority of s'kiddies will just scan 22, see there's nothing there, and move on to the next host. There will _always_ be far easier targets for them to attack. Why waste their time trying to guess my knock?
hmm... (Score:5, Interesting)
This definitely is security through obscurity and perhaps would work in the same way as a car alarm. There's lots more systems out there that are easier to break into, and if someone does try, just hope that they get fed up and moves on to the next one.
If you've gone this far, why not do something like they do on radio. Open up severable ports at the same time and multiplex your signal over several of them while sending noise over the ununsed ports randomly switching between ports using a syncronized random selector.
go a step further (Score:5, Interesting)
IE, secureID says sequence is "1234 1441 1114 5123", you knock on the first three, and 5123 is the ssh port activated for you only.
Slashdotted (Score:4, Funny)
Thanks.
Knock Knock Honey Pot (Score:5, Interesting)
Christ people! (Score:5, Informative)
I thought of this 2 years ago (Score:4, Interesting)
In my version of "port knocking", everything was going to be controled via ICMP echo packets.. aka "ping".
A single Ping packet can contain arbitrary data of an arbitrary length less than 64k. Through a config file, the system admin could define ping sequences using time, data, and/or packet size, along with a specified script to execute on each successful reception of the ping sequence.
Then, remotely, people who know the ping sequences could use almost any available ping utility on any machine to open remote ports, etc.
The concept of executing a script, rather than opening or closing ports, allows for more flexibility. Not only can the admin open and close ports via scripts, but could do other useful things.
Negative knocking (Score:4, Informative)
This was discussed extensively... (Score:4, Informative)
Anyway, one of the biggest problems is failure rate. If that "secret knock" fails unless you correctly use the appropriate sequence of knocks, then anyone malicious can implement a trivial denial-of-service attack just by constantly hitting random ports, preventing any knock completion.
Alternatively, if you ignore non-knockable ports, or ports that aren't part of the knock, then you've dramatically whittled down the strength of your virtual password, and made it that much easier to brute-force.
Perhaps this would deter some of the lowest levels of sk|21p7 |<1dd13z from getting in, but that would be true only for about two weeks, whereupon new toyz are released that automate these attacks, and you've given the black hats one more weapon (DoS through spoofed noise packets) in the meantime.
I guess if you really, really wanted to do this, you could have a single accessible port that would listen for access, and then receive an encrypted key that determines which other port your server opens for a possible connection. But basically all you're doing then is adding on another layer of password protection, whose effect will be circumvented when somebody finally decides it's annoying to have to login twice or enter multiple passwords, and sets them both to the same thing, on auto-login, then leaves his laptop sitting around for three minutes. And you've still not fixed the sniffing problem. There are bigger security soft spots to be addressed than trivially hiding access to your ssh port.
freq. hopping analogy- (Score:5, Interesting)
Two radios synchronize, based on a key, and both change frequency every so many milliseconds. If you don't know the key, you can't send or receive to either of them.
I would like to see this extended to a port-hopping system for all ports and services. Sure -- it will burn some clock cycles, but I like the approach.
- Sam
http://www.iamsam.com
Already used by backdoor (Score:3, Informative)
Order, delivery of packets is not guaranteed (Score:4, Insightful)
This system is going to be unreliable. No way around it. A single dropped packet and you have to try all over again. If you're really paranoid, like some have proposed, and disable the "knock monitor" temporarily if someone tries to connect unsuccessfully, it will also be horribly slow.
If you use it on a LAN, maybe the net will be reliable enough, but then you have to worry about sniffers...
TCP/IP problems with this method. (Score:5, Informative)
The problem is of course that since no connection is being established, there's no guaranteed delivery of packets, and no guaranteed delivery of packets in the order they were sent. This could be very problematic across network connections that drop packets, and provide you no feedback as to why you can't open your connection. If only 10 % of my packets get dropped, and I require 10 "knocks", I only have
Is there a clever way to solve this problem, or is the reliability of it tied to a low amount of packet loss on a network?
It's _not_ just another password... (Score:5, Interesting)
Stop complainin about "security through obscurity" (Score:5, Insightful)
This is just a way of encoding some bit transfer in the IP protocol instead of in the beginning of whatever protocol you're using after the connection. You could also use it to send cryptographic credentials which could be as secure as any other protocol (plus some extra security by obscurity). The only problem with that is that you need a way to send back information via TCP (because most good authentication protocols are two-way), but I think you need that anyway in order to serialize your knocks.
All the time the same arguments (Score:5, Interesting)
Since some still don't understand its use, i'll be speaking metaphorical:
Assume you need to have a special key to open a certain otherwise secure door. OpenSSH might be that door and your passphrase and your certificate are the key.
An attacker can still forge the key or attack the lock with a different approach, picking etc. - comparable to "social engineering" to get the password, brute forcing or exploits.
And that port knocking sequence now effectively hides the lock, leaving an attacker without a first approach to pick or break the lock. It just adds another layer of security. You just don't know where to start your attack. You can't use exploits, you can't try brute force - nothing, heck you don't even know what type of daemon your target is.
A clean stainless steel door with a covert RFID-detector one square inch in size, hidden somewhere, sure as hell beats the same door with a clearly visible lock. You still need to pick the lock, but you can't poke your lockpicking tools into solid steel and you can't crack something you cannot discern.
--- Still one addition to say: having a machine connected to the internet with no ports open makes you a prime suspect for the port knocking scheme.
A good stealth scheme may be implemented, so a potential attacker (excuse for this metaphor again) does not even see the door (or the building, for that matter).
gettyps (Score:4, Informative)
Kris Gleason implemented a similar scheme in his gettyps code back in the 90s (it still available and in most distributions). For the "knock" one would dial into a modem (or any serial port) and let it ring a specified number of times. If the right number of rings was received before disconnect, gettyps would allow the next call to connect.
Michael. [michael-forman.com]
I did this about 5 years ago (Score:5, Interesting)
I did this about 5 years ago. But my method was a bit different. Instead of using port numbers to contain the information (and that's all it really is, is just information), I sent a single UDP packet, with a source port of 53 (so it looks like a DNS answer), formatted like a DNS answer, that contained the information in the DNS answer data. Then it opened the SSH filter for that IP address to come in (I did it for 5 minutes, not 10 seconds). It still had to fully authenticate via SSH, so even if someone sniffed my DNS packet and tried to fake it, they could at most have a locked door to jiggle the handle on. Next time I do this, it will be to generate an MD5 checksum from the client IP and a secret salt, and send that as an IPv6 address in the packet. Then it can't even be faked from some other IP address.
Counter Proposal: Port Traps (Score:5, Interesting)
What if I turn this whole thing around and install fake services on a number of ports?
For example, whenever you make a connection to a port between 1025 and 2048 on my system, you're greeted with "OpenSSH ...", and prompted to authenticate. But only behind one among those 1024 ports is the real SSH. On any other port, the fake service takes the username and password you've entered, wait a few seconds (just idling around), and tell you "Authentication failed". If you try too often to connect to faked services, you're put on the black list to avoid DOS, of course.
Why not use a listening socket on UDP+encryption? (Score:4, Interesting)
It really is nothing more than a password to get access to the front gate... When somebody eavesdrops (sniffing), they will know the passwords, thus get access to the gate. They can sucessfully detect the knocking sequence because it is followed by a successfull ssh connection (duh!).
The password is this 'secret sequence' in this 'port knocking'. Why not just use a daemon that listens on a UDP socket for a packet with an encrypted password in its payload? The payload could even be an RSA-signed and/or encrypted request (that includes a timestamp). That would be unscannable too, because UDP is connectionless, and be a lot more secure because of the real encryption/protection of the request data (the server can verify the identity of the sender of the request from the RSA signature, and can deny the request if one was made earlier with the same time stamp, twarting even sniffing of the UDP packet).
Except for not having the ssh daemon 'connected' to the internet at all times and thus evading many port-scanning worms/scripts, this port knocking is nothing more than just some security through obscurity: At best it will delay the attacker somewhat, but probably not at all while giving the user a false sense of being secured.
encoding for noise rejection (Score:5, Interesting)
It adds security to any existing methods (passwords, etc.).
It can be implemented behind a firewall that doesn't even respond on any port probes, so an attacker can't even tell if the firewall was just unplugged.
If the firewall stays closed, the protocol can't be used by an exploited machine, unless a method for exploiting the firewall is also known.
Or the method can be implemented in user space of a machine behind a completely closed firewall, just by pre-arranging for the logging of firewall port probes, and the forwarding of appropriately filtered contents of the firewall logs into user space.
They key sequence can also be made long enough to make it just as hard to crack as a long pgp private key, e.g. nobody except (3 letter agency) and distributed.net will even bother to try.
The sequence key can be from a one-time pad, meaning that even if the protocol is completely revealed to a local sniffer, they'll just end up with a useless password.
And lastly, it's possible to additionally encode the key sequence with a modulation wrapper and enough redundancy to withstand a given signal to noise ratio and mis-sequencing rate, which means one could even make the sequence key usable in the face of probing or an outright DoS attack against the protocol up to a certain attack bandwidth and knowledge of which ports might be in the sequence.
Where's my coding textbook and patent attorney...
security through obscurity? no sorry (Score:5, Informative)
http://www.portknocking.org/view/about/obscurity [portknocking.org]
It does a much better job of explaining this than anything yet posted here.
Re:Password (Score:5, Insightful)
Except it hides that the port is open at all, which is useful.
Re:Invasive Security (Score:4, Informative)
Not the point (Score:5, Insightful)
You are very much missing the point. Yes, security through obscurity is terrible when it is the only security method you use. However, it can be used to augment a better security system. Even if somebody figured out the secret knock, they would still have to get past your sshd. And if an sshd exploit was found, your secret knock might give you enough time to patch the system before it could be exploited. More security is always a good thing.
Disbelief in security through obscurity doesn't mean you have to paint a bull's eye on your head and dare people to attack you.
Re:Brute Force (Score:5, Informative)
Assuming a 5 'letter' password, you have (2^16 - 1024)^5 possible passwords, which is 1.1 X 10^24. Assuming both the server and the attacker are on fat pipes and the server is implemented in a dumb way so that it doesn't recognize brute-force attempts, you could pull off perhaps 100 attempts per second. So it would take you about 10^22 seconds, or 350 trillion years.
In security, I think this technique is comparable to a reasonably strong plaintext password. It can be sniffed, but it can't really be brute-forced.
Today's show was brought to you by Google Calculator.
Re:Oh, really. (Score:4, Funny)
Re:Oh, really. (Score:3, Informative)
Plus, thing about it this way:
* someone notices an SSH connection
* someone portscans, notices port 22 is closed
* someone thinks, "hm, there was that
* someone waits around for you to re-connect, and watches what closed ports you connect to
See? that easy.
Re:Oh, really. (Score:4, Insightful)
You can then hide any service that is not to be known from the public (SMTP, POP, SSH, TELNET, whatever...) thus removing the probability that any exploit for these may be exploited: The hacker on the other end doesn't even know the service is running!