tag:blogger.com,1999:blog-8616610987649128333.post4317647058190663504..comments2024-03-07T18:07:32.939+01:00Comments on That grumpy BSD guy: Why Not Use Port Knocking?Peter N. M. Hansteenhttp://www.blogger.com/profile/12852746787621165833noreply@blogger.comBlogger21125tag:blogger.com,1999:blog-8616610987649128333.post-58231218658488007172020-04-18T12:47:26.943+02:002020-04-18T12:47:26.943+02:00I think you misunderstand the whole concept. As fa...I think you misunderstand the whole concept. As far as I can tell port knocking protects you from port scanning. You don't need a dedicated daemon to implement it, but you already mentioned that. Softwares can have bugs is not a valid argument unless you are prepared to throw out the entire OS along with the hardware, because both can contain bugs.inf3rnohttps://www.blogger.com/profile/15504572106652681388noreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-2307372927523644622017-07-17T01:50:13.189+02:002017-07-17T01:50:13.189+02:00Just a note -- one port number is *approximately* ...Just a note -- one port number is *approximately* two ascii characters or, again, *approximately* one Unicode character. This is due, first, to the unused regions in pure ascii and Unicode, second, the ports that will probably not be used, and, third, the fact that Unicode code points now actually have a range larger than 65536. <br /><br />(And the interesting thing is that, putting it all together, the comparison is relatively close, if you say, "approximately".) <br /><br />Thanks for the post. I need to look at authpf.零石https://www.blogger.com/profile/01111094813708912513noreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-50423197000261156942017-02-21T14:39:29.937+01:002017-02-21T14:39:29.937+01:00I use ping packet length + times to knock ports.
...I use ping packet length + times to knock ports.<br /><br />E.g. PING with 67 bytes 3 times, pause for at least 2 seconds, PING with 121 bytes 2 times, and now the port is open.<br /><br />The door keeper script is about 200 LOC python without any library requirements. <br /><br />The PF trick is neat, though, thanks!<br /><br />esthttps://www.blogger.com/profile/14946233761031510690noreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-15776840001095956682016-12-04T14:34:39.245+01:002016-12-04T14:34:39.245+01:00"Port knocking examples generally do not run ..."Port knocking examples generally do not run to more than three packets"<br /><br />Right, and that sucks. It's not enough-- everyone agrees on that. <br /><br />Which is why my own combination is over 20 packets.p0okhttps://www.blogger.com/profile/05459557379798585041noreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-23030221656045023672015-09-16T19:08:49.950+02:002015-09-16T19:08:49.950+02:00Since port-knocking is just security through obscu...Since port-knocking is just security through obscurity another method is to change the openssh algorithms, such as adding a few extra rounds to whatever cipher and replicating that on the server. Now you have a 'secret protocol' that only your modified client ssh software can negotiate with. Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-20472312398492289642015-02-24T12:42:06.619+01:002015-02-24T12:42:06.619+01:00Great reasons why not to use port knocking. But ho...Great reasons why not to use port knocking. But how would a port knocking solution using SMS and smartcards perform? So:<br /><br />1) Mobile phone connected to server<br />2) You send an "hello" SMS to the server phone<br />3) Server phone replies with a number<br />4) You type in this number in your smartcard reader and encode with your PIN.<br />5) You send the result of your smartcard reader to the server phone.<br />6) The server phone verifies the encoded number.<br />7) If ok, ports are closed or opened.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-9445186574222361312014-09-11T18:50:30.707+02:002014-09-11T18:50:30.707+02:00You can just use xtables (http://sysadm.pp.ua/linu...You can just use xtables (http://sysadm.pp.ua/linux/xtables-addons.html) or this instruction - http://sysadm.pp.ua/linux/iptables-antiscan.htmlAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-79178682515227088632014-09-10T04:42:34.346+02:002014-09-10T04:42:34.346+02:00I'm considering using port knocking as an extr...I'm considering using port knocking as an extra layer of protection. Remote users need to knock before regular authentication (i.e knock, login, two factor...).<br /><br />Another thing I am considering is using port knocking to whitelist IP addresses on a staging version of a website. Currently, if an IP has not been whitelisted to view staging.site.com they are served a blank page and an email is sent to an admin, who then follows a link which adds their IP. With knocking, users can simply knock and then their IP will be added. This can be automatically time limited.<br /><br />An as *extra* tool, I can't see anything wrong with port knocking.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-62394742446867002382013-10-02T18:13:26.018+02:002013-10-02T18:13:26.018+02:00The maintenance of tracking keys is mentioned as a...The maintenance of tracking keys is mentioned as a valuable tradeoff but a single automated file is too much to maintain? This makes no sense. Tarpitting is much more common than key-based logins because it serves multiple purposes BEFORE even getting to identification.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-52276506986889978862012-04-17T20:04:56.675+02:002012-04-17T20:04:56.675+02:00authpf has its uses, but it also has many of the s...authpf has its uses, but it also has many of the same problems as running your "main" sshd on an open port, e.g. opening yourself to a bunch of writes to the logging disk, and high CPU use from people trying to connect (which also applies if you disable passwords and only allow public key authentication). The CPU use is especially "fun" when the processes are too short-lived to appear in top(1)'s display, you just see the high CPU% figures with no apparent cause.<br /><br />This can be mitigated by blocking people who connect too often (either via rate-limiting firewall rules or denyhosts/sshguard/etc) but that's equally acceptable for an authpf sshd as the main sshd, the same reasons you might not want it for main sshd apply here too.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-76944195475250116262012-04-17T18:52:46.627+02:002012-04-17T18:52:46.627+02:00I'd just like to point out that denyhosts work...I'd just like to point out that denyhosts works like Blockhosts (as pointed out by Robby): the blacklist is maintained by the system with automatic expiry of blocked hosts, i.e. (usually) no management :)Christian Brynhttps://www.blogger.com/profile/09774734118720876174noreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-19367300681359488542012-04-17T16:10:11.436+02:002012-04-17T16:10:11.436+02:00Hi Peter,
Your article makes a few good points, b...Hi Peter,<br /><br />Your article makes a few good points, but as some commenters above have already stated, you forget to mention that security as a whole should be looked at in terms of 'defence in depth'. Port Knocking shouldn't be looked at in isolation, but rather as an added layer of security (where it performs moderately well, despite many implementations being deeply flawed).<br /><br />But my bigger gripe is that your article's focus on port knocking means that you're looking solely at an outdated and largely deprecated mechanism. Modern 'port knocking', that is more widely used today, is Single Packet Authorization (SPA). SPA doesn't suffer from many (if not all) of the drawbacks experienced in PK. No more weak sequences, out-of-order delivery, no more crypto issues or replay attacks.<br /><br />In fact, SPA came out precisely because many of the points you made were being discussed and resolved. The ability to hide all services from external access is a huge benefit, meaning that, for the most part, you no longer have to worry about the security of individual services, or how strong your authentication credentials are, and instead ensure that the SPA daemon itself is secure enough to withstand exploitation.<br /><br />If you and your readers are interested in a more in-depth comparison of PK/SPA, I'll direct you to a paper I wrote on the subject back in 2006: http://www.securitygeneration.com/single-packet-authorization/<br /><br />Note that I don't develop any implementations of SPA myself, but if anyone wants to play around with one, I highly recommend the fwknop project (http://www.cipherdyne.com/fwknop), to which I've contributed, and which I think is the more advanced implementation available.SJhttp://www.securitygeneration.com/noreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-71217215785966915342012-04-13T22:48:03.812+02:002012-04-13T22:48:03.812+02:00Port knocking is about lowering your profile. Bot...Port knocking is about lowering your profile. Bots scan IP ranges looking for zero-day vulnerable hosts. Port knocking elides the host from the list of hosts to attack. This sort of attacker cannot afford to attempt to brute force any significant number of hosts; they're looking for vulnerable listeners.<br /><br />Just a few days ago, non-NLA terminal servers had a zero-day remote hole appear out of the blue. This is what port knocking can, in limited cases, help defend against.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-66675018416669266472012-04-13T15:15:29.029+02:002012-04-13T15:15:29.029+02:00Security heterogeneity.
Port knocking per-se is n...Security heterogeneity.<br /><br />Port knocking per-se is not a bad thing - it has drawbacks and it has a place.<br /><br />I personally use rate-limited port knocking - if you knock, port 22 opens. If you try port 22 without knocking then you're locked out for a few mins (ie even a correct knock fails).<br /><br />Main benefit: cleaner sshd logs; which means that when I *do* see entries in sshd logs, they mean something.<br /><br />Since port knocking has too many drawbacks to be widely implemented (and therefore isn't worth much effort on the part of the bad guys), and since I'm not a special target, it probably adds value for me.<br /><br />Of course I otherwise configure sshd as if port knocking were not presentlbthttps://www.blogger.com/profile/09905205890603382664noreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-83758372851044056512012-04-12T20:05:09.864+02:002012-04-12T20:05:09.864+02:00http://www.mnxsolutions.com/security/two-factor-ss...http://www.mnxsolutions.com/security/two-factor-ssh-with-google-authenticator.htmlAnonymoushttps://www.blogger.com/profile/06885976774416477104noreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-87260496443310988062012-04-12T18:40:08.600+02:002012-04-12T18:40:08.600+02:00There is an open source project called Taferno on ...There is an open source project called Taferno on sourceforge.net. It implements simple Two Factor Authentication along with dynamic firewall rule modification that effectively prevents/reduces brute force attacks.<br />taferno.sourceforge.netAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-41020375630917087272012-04-12T15:54:56.299+02:002012-04-12T15:54:56.299+02:00I get the impression that the author has never act...I get the impression that the author has never actually implemented port knocking. <br />I found it incredibly simple.<br />To prevent any issues, knockd can be auto-restarted periodically using cron (if one worries about lock ups that do not allow access). <br />I use a port knock program for the Android that, after knocking, calls the ssh client.... <br />When I have to reset a VM in my rack I just port knock from my Android and go straight to my own workstation and then tunnel to the virtual host and then manage the client.MattTheCathttps://www.blogger.com/profile/17871915221003107743noreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-65806718263539554272012-04-12T15:42:38.185+02:002012-04-12T15:42:38.185+02:00I had to modify knockd (port knocking) to ignore r...I had to modify knockd (port knocking) to ignore repeated retries so it wouldn't invalidate the entire knock on a network induced repeated port hit.<br />I also use longer sequences. <br />The flavor I like will open the target port (i.e. high sshd port) for 10 minutes.... (for new originating ssh clients that is)... before changing the iptables back. It's just one extra layer of precaution. <br />It's nice since it will knock open from anywhere as long as I give the entire sequence.MattTheCathttps://www.blogger.com/profile/17871915221003107743noreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-49644395088602802872012-04-12T14:13:58.366+02:002012-04-12T14:13:58.366+02:00Good Lord.
You gloss over my recommendation of x...Good Lord. <br /><br />You gloss over my recommendation of xtables-addons and use of the 'tarpit' module as if it has no bearing? <br /><br />And then you have the temerity to say it is an ssh only solution? Incorrect.<br /><br />tarpit will operate on any listening port.<br /><br />Honestly, I think you are the one who didn't read:<br />http://dev.medozas.de/files/xtables/xtables-addons.8.html<br /><br />There's a bonanza of target features one can employ in iptables, not just tarpit. It includes port knocking, delude, chaos, port scan detection, geoip (block ip ranges by country). Here's a table of modules:<br />http://xtables-addons.sourceforge.net/modules.php<br /><br /><br />I think its irresponsible of you to not mention the importance of this tool.<br /><br />Here's the details of tarpit usage:<br /><br />/**<br />TARPIT<br /><br />Captures and holds incoming TCP connections using no local per-connection resources. Connections are accepted, but immediately switched to the persist state (0 byte window), in which the remote side stops sending data and asks to continue every 60-240 seconds. Attempts to close the connection are ignored, forcing the remote side to time out the connection in 12-24 minutes.<br /><br />This offers similar functionality to LaBrea but does not require dedicated hardware or IPs. Any TCP port that you would normally DROP or REJECT can instead become a tarpit.<br /><br />To tarpit connections to TCP port 80 destined for the current machine:<br /><br />-A INPUT -p tcp -m tcp --dport 80 -j TARPIT<br /><br />To significantly slow down Code Red/Nimda-style scans of unused address space, forward unused ip addresses to a Linux box not acting as a router (e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP forwarding on the Linux box, and add:<br /><br />-A FORWARD -p tcp -j TARPIT<br /><br />-A FORWARD -j DROP<br /><br />NOTE: If you use the conntrack module while you are using TARPIT, you should also use the NOTRACK target, or the kernel will unnecessarily allocate resources for each TARPITted connection. To TARPIT incoming connections to the standard IRC port while using conntrack, you could:<br /><br />-t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK<br /><br />-A INPUT -p tcp --dport 6667 -j TARPIT <br />**/<br /><br />Dietrich T. Schmitz<br />Linux Advocate, Human Being<br />https://dtschmitz.comAnonymoushttps://www.blogger.com/profile/06885976774416477104noreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-82157307532063773362012-04-12T09:02:57.386+02:002012-04-12T09:02:57.386+02:00I've been using the excellent Blockhosts for a...I've been using the excellent Blockhosts for a number of years now. It's not a port knocker per se but more in the vein of denyhosts. It has a few advantages like not being protocol specific ( it will handle those pesky pop and imap trawlers amongst others ), and has configurable timing values. No management overhead as blocked hosts are automatically expunged after a config'd period of time.Robbyhttps://www.blogger.com/profile/13704320069544821192noreply@blogger.comtag:blogger.com,1999:blog-8616610987649128333.post-83540146290269692872012-04-12T03:36:49.853+02:002012-04-12T03:36:49.853+02:00If the bulk of them actually worked that way, yeah...If the bulk of them actually worked that way, yeah it would be nearly useless. Reality is there are numerous implementations that have some kind of crypto integration that's safe from replaying. And there are few that are as simple and dumb as just listening for a sequence of ports. <br /><br />I'm not a fan of it in general, but I have seen situations where it could be useful for reasons other than security. For instance, my cable ISP will periodically port scan you from varying source IPs and will shut you down for TOS violation if you have a port open ("that's a server!!1!"). In that scenario if I needed a TCP service open on that connection, port knocking would be a good solution. And if it is one of the many solutions that's protected from replay attacks and not insecurely implemented, it can have security benefits. I'd argue you have far worse issues that should be addressed by something other than obscurity if your system can actually be compromised from crud like SSH brute force attacks though.Chris Buechlerhttps://www.blogger.com/profile/14915136057838042206noreply@blogger.com