Slashdot Mirror

← Back to Stories (view on slashdot.org)

"Port Knocking" For Added Security

Posted by CmdrTaco on from the thats-a-crazy-idea dept.

Jeff writes "The process of Port Knocking is a way to allow only people who know the "secret knock" access to a certain port on a system. For example, if I wanted to connect via SSH to a server, I could build a backdoor on the server that does not directly listen on port 22 (or any port for that matter) until it detects connection attempts to closed ports 1026,1027,1029,1034,1026,1044 and 1035 in that sequence within 5 seconds, then listens on port 22 for a connection within 10 seconds. The web site explains it in some detail, and there is even an experimental perl implementation of it that is available for download. I can't think of any easy ways you could get around a system using this security method - let alone even know that a system is implementing it. Another article on port knocking is here."

29 of 950 comments (clear)

  1. Well, there go the logfiles by djh101010 · · Score: 3, Insightful

    Something tells me I'm going to be seeing a lot bigger firewall logs in the future, as this catches on.

    1. Re:Well, there go the logfiles by jlaxson · · Score: 3, Insightful

      sniff the port knocks

      I Disagree. If someone sniffs the knocks, they still have to authenticate to whatever application gets opened up. So, for a sniffer, this may not be very effective (at the worst case, it's no different than what you had before). But for a hacker across the net who wants to get at ssh, this effectively locks them out.

      --
      On Apple Input Peripherals: They're okay, I guess, but I was really hoping for a one-key keyboard and a 109-button mouse
    2. Re:Well, there go the logfiles by Esion+Modnar · · Score: 4, Insightful
      Actually, I think this article has been one of the most "nerd-worthy" postings on Slashdot in quite a while...

      And yes, one the most annoying things about sitting behind a NAT is only being able to forward a port to a single host at a time. This would be great if "port knocking" could solve this, though in a very Rube Goldberg fashion.

      --

      They say the first thing to go is your penis. Well, it's either that or your brain. I forget which...
    3. Re:Well, there go the logfiles by 3.1415926535 · · Score: 4, Insightful

      How about, "Yeah, NAT breaks stuff, let's fix it" instead?

    4. Re:Well, there go the logfiles by Smidge204 · · Score: 4, Insightful

      Or other problems to be seen, also now hackers won't just port scan me, they'll port scan me a trillion times, trying to find the right combination to open my ports.

      And what stops them from brute-forcing regular password protected access on a known port?

      1) You don't know how many ports are in the knock sequence
      2) You don't know that the range is
      3) You don't know what port will open when you get it right

      Similar to a password, only instead of base 94 (a-z,A-Z,0-9`~-_=+\][|}{';":/.,?>million trillion trillion trials to crack. Then you have to do one more scan to figure out which port actually opened after each trial and hope no other service opened a port for some unrelated reason.

      I'm thinking it's a tad more secure than password authentication alone... and you can always throw password auth in after the client connects, so you can throw in a few false-positives (bogus logins) to keep them busy.

      And a five second window to transmit the sequence is pretty generous. If you wanted to harden it even more against brute forcing, you could require a full 5 second wait and accept all connection attempts from a particular host. That would limit an attacker to 20 attempts per minute max. So it'll take the better part of 32 billion trillion years to crack it.

      At that point, you can consider the end of the universe as "The ultimate connection timeout"
      =Smidge=

    5. Re:Well, there go the logfiles by gnu-generation-one · · Score: 3, Insightful

      "I dind't say it wouldn't be secure, I said it would be irritating for me as the admin, when people tried to crack it."

      It should give you less irritation as an admin, when portscans reveal that every port on your computer is closed, and they go find another target, wondering why you bothered buying a firewall if you seemingly haven't configured it to accept connections.

      A recent nanog (was it nanog?) flamewar mentioned that people ran their servers on non-standard ports and they considered it really secure. Why? Because the viruses only scan one port, and choosing a different one gives you a lot of time to take stock when a vulnerability/virus pair is announced.

      It's obscurity (as a first layer of defence), but it means that an "nmap * -p 22" won't find your server, and anyone running the full scan of 64K ports over the internet is making themselves a lot more visible, and a lot slower.

  2. not bad by maelstrom · · Score: 5, Insightful

    But it does seem like a layer of obscurity to what should otherwise be a secure port. What if someone is sniffing your network? Unlike an encrypted password, they could easily replay this sequence and gain access to your "hidden" port.

    --
    The more you know, the less you understand.
    1. Re:not bad by platypus · · Score: 4, Insightful

      Ok, let me rephrase what I wrote in another message.

      Open ports per se are not insecure!

      The whole point behind port knocking is the wrong impression that "open" ports are more insecure than "closed" ports. This is totally bogus.
      It's about the applications behind the open ports, and it's not more complicated to write code which listens to a specific port and drops the connection if it doesn't recieve some secret number as the only payload of the first packet, than it is to write the kernel tcp/ip stack.

      That brings me to another mantra

      Kernel code is not intrinsically more secure than application level code!.

      There are many examples for buggy and overflowing tcp/ip stacks (ping-o-death comes to mind if you're somewhat older).

    2. Re:not bad by h4x0r-3l337 · · Score: 5, Insightful
      The whole point behind port knocking is the wrong impression that "open" ports are more insecure than "closed" ports. This is totally bogus.

      No it isn't. A closed port does not accept any data, therefore you cannot attack the application "behind it". A port that is open is only as secure as the application listening on that port, which AT BEST is as secure as a closed port, assuming the listening service is absolutely perfect, and has no flaws whatsoever.

      There does seem to be some confusion as to what it means for a port to be "closed", judging from most of the posts I've seen so far. You can close a port, but send "connection denied" replies to anyone trying to connect. This makes the port itself safe, but tells the attacker that there is in fact a machine there on the network (which could be a reason for an attacker to continue to probe and/or attack you in other ways). You can also close the port by not responding to anything directed at it at all. If *all* of your ports are like this, an attacker won't even know if your machine is turned on or off, or if there's even a machine there at all. In a way, you've become invisible. Ideally, that's what you want. Port knocking is simply a way to allow your machine to be invisible while still being able to initiate connections to it from arbitrary IPs.

    3. Re:not bad by poot_rootbeer · · Score: 3, Insightful

      In fact, I'd suggest making the knock sequence much longer then in the article; ten might be good. Then, if you allocate 100 ports to the knocked and randomly select a 10 port sequence for the knocking, you get 100 ** 10 possible knocks, or 100,000,000,000,000,000,000 (100 sextillion) possible knocks.

      And this number is only relevant if the attempted cracker knows your knock sequence is exactly 10 ports long. Add or subtract a couple steps from the sequence, and the number of possibilities increases factorially.

  3. Easy enough... by wishus · · Score: 4, Insightful

    I can't think of any easy ways you could get around a system using this security method - let alone even know that a system is implimenting it.

    Sniffing.

  4. Before you complain about "Obscurity" by pclminion · · Score: 5, Insightful
    This adds a layer of obscurity to a security policy. It can't substitute for security, but it certainly can help.

    An analogy would be a military base with a ten-foot-thick steel blast door. This is like having a door that teleports around at random, which can only be frozen in one spot by speaking some magic word. Even if you know the word, you still don't have the key to the door. But if you do have the key, you still can't get in without the magic word because the door keeps teleporting around.

    Obscurity is great, if it is part of a layered security policy which is ultimately based on strong cryptography. This is a really cool idea!

  5. I see an easy way by Apreche · · Score: 4, Insightful

    There is an easy way around it. The problem is you will make yourself very obvious. Simply pick a time at which the server in question is in high use. Hammer the port. Eventually someone will knock on the door opening it for 10 seconds and you put your foot in the door before they do. The other way is if you can get a packet sniffer simply look at the packets that came before and determine the secret knock.

    This is still an interesting idea and definitely has at least a few places in which it would be an effective authentication mechanism.

    --
    The GeekNights podcast is going strong. Listen!
  6. Re:Password by 26199 · · Score: 4, Insightful

    Except it hides that the port is open at all, which is useful.

  7. Not good by glpierce · · Score: 5, Insightful

    "The "knocking ports" could also be configured that if there are random hits to the standard port without the proper knock, the system could lock down for 30 seconds and even ignore the proper knock so that if somebody's trying to brute force all the possible knocks, they'll never get feedback when they have the right one."

    That would just create a new variant to DOS attacks. Instead of taking you offline, they just persistantly knock on random ports, thereby disabling your ability to communicate with trusted sources.

    --
    G
  8. Security through obscurity by Dominic_Mazzoni · · Score: 5, Insightful

    As everyone else is saying, this is just security by obscurity. That doesn't mean that you shouldn't use it, because it probably would help a lot in keeping out script kiddies and casual hackers. But the flip side, as always, is that you're giving yourself and your users a false sense of security when you pretend that measures like this will actually prevent motivated hackers from getting past it.

    The most obvious way to break into a system like this is to compromise a nearby machine first and install a packet sniffer. Once you can see the traffic to the host running this port knocking system, it would be easy to discover the pattern. In fact, port knocking is less secure than a lot of other nonstandard authentication mechanisms because you could figure out the secret simply by looking at packet headers (since they contain the port numbers).

    The other problem I see with this system is that it requires users to either memorize the secret knock, or use a program that automatically knocks for them. Since most people have a hard time even remembering all of their usernames and passwords, you'd see a lot of people writing down the knock, sending it via email, or writing scripts to knock for them. Dozens of opportunities to a hacker, especially one skilled in social engineering, to figure out the knock.

  9. Not the point by s20451 · · Score: 4, Insightful

    come on kids. Have we not learned our lessons? Even as a one time pad, this is lame

    You are very much missing the point. Yes, security through obscurity is terrible when it is the only security method you use. However, it can be used to augment a better security system. Even if somebody figured out the secret knock, they would still have to get past your sshd. And if an sshd exploit was found, your secret knock might give you enough time to patch the system before it could be exploited. More security is always a good thing.

    Disbelief in security through obscurity doesn't mean you have to paint a bull's eye on your head and dare people to attack you.

    --
    Toronto-area transit rider? Rate your ride.
  10. Obscurity IS Security by CedgeS · · Score: 5, Insightful

    There is only one form of security for a publicly accessible interface: obscurity. What is a password? It is a piece of information that you know that someone else doesn't - it is obscurity. The key to your house is something you have that someone else doesn't. If they knew the obscure details of your key they could make one. What is a private key, a key for SSH, a kerberos function? They are all information you know which (hopefully) a potential attacker doesn't. This is obscurity.

    If you have a security system for a public interface (the front door to your house, a computer port, etc...) that does not rely on obscurity you have a system better than any theoretical system anyone has ever thought of. (Biometrics don't count - they are just another piece of information that you have that someone else probably doesn't. That's obscurity.)

    1. Re:Obscurity IS Security by cheezit · · Score: 4, Insightful

      I think you are overreaching here. As far as I'm concerned, the phrase "security through obscurity" means obscurity of system design. If you don't tell anyone about your unprotected resource, that's security through obscurity. All I need to do is discover your resource.

      Most security is based on secrets of one kind or another---that doesn't make it "obscurity."

      --
      Premature optimization is the root of all evil
    2. Re:Obscurity IS Security by Xenographic · · Score: 4, Insightful

      We usually call such a thing a secret, not "obscurity" ... at least, when talking about a password.

      So this just makes part of the protocol secret, and one of our assumptions about security protocols is that the protocols are known.

      Yes, it's an interesting and reasonably clever little hack (it is not, however, new), it does tend to hide some information (e.g. that the ports are even open) but if you're going to make the port look closed, anyhow, why not just listen on that port for something that would cause the service to "wake up"? I guess they thought it seemed a bit more clever the other way, who knows?

    3. Re:Obscurity IS Security by mech_knight · · Score: 3, Insightful

      Actually, security from man-in-the-middle attacks is what cryptography is normally concerned with. Real security is achieved when transmitted information is still "unknowable" despite knowledge about the process of transmission.

      That's the whole point of public and private keys. Statistical impossibility of dechiphering the private key--not obscurity--is its goal.

      --
      "Size matters not. Look at me. Judge me by my size, do you?" --Yoda {whips out green light saber}
  11. Neither. by khasim · · Score: 4, Insightful

    #1. DoS attacks - how is this different from any other DoS attack?

    #2. Sniffing the port knocks - to do this, you would already have to have the upstream compromised or be on some shared network.

  12. Re:Open a whole range of ports by lactose99 · · Score: 4, Insightful

    That depends on the NAT gateway, as per the original poster. If the NAT gateway is dropping all packets that aren't part of a) valid incoming connections or b) a port knocking scheme, a portscan would reveal some or all of the ports utilized in the port knocking scheme. Ports that are closed but part of the knocking scheme would return a connection refused, while all the other (filtered) ports would simply be dropped.

    Granted, most anyone implementing this sort of security setup on their firewall would most likely think about this and either a) open an entire range of ports, only some of which would be used for port knocking (as a previous poster mentioned) or b) simply close everything at the NAT gateway and not drop any packets, thereby not revealing any detail regarding a port knocking scheme.

    I'm sure there are several other ways to deal with this at a NAT gateway, but they just aren't coming to mind at the moment.

    --
    Fully licensed blockchain psychiatrist
  13. Services listen on ports. by khasim · · Score: 4, Insightful

    It isn't the port. It's the service listening on that port.

    If the port is closed, then it is impossible to attack that service through that port.

    This process closes those ports.

  14. Order, delivery of packets is not guaranteed by Dr.+Manhattan · · Score: 3, Insightful
    Since the client gets no feedback on whether the packets made it, there's no way to check if it worked except to see if the "magic" port has been opened.

    This system is going to be unreliable. No way around it. A single dropped packet and you have to try all over again. If you're really paranoid, like some have proposed, and disable the "knock monitor" temporarily if someone tries to connect unsuccessfully, it will also be horribly slow.

    If you use it on a LAN, maybe the net will be reliable enough, but then you have to worry about sniffers...

    --
    PHEM - party like it's 1997-2003!
  15. Stop complainin about "security through obscurity" by Tom7 · · Score: 4, Insightful

    God damn, if I hear one more of you go, "this is just security through obscurity!" I am going to puke. This is the same as cleartext passwords, which are pretty secure if (a) you know nobody is sniffing the network and (b) you know nobody is masquerading as the host you want to connect to. Of course those things aren't typically true, so this alone isn't very secure. But it does disguise your exchange which, contrary to what the security-through-obscurity folks are saying, does give you some small measure of security.

    This is just a way of encoding some bit transfer in the IP protocol instead of in the beginning of whatever protocol you're using after the connection. You could also use it to send cryptographic credentials which could be as secure as any other protocol (plus some extra security by obscurity). The only problem with that is that you need a way to send back information via TCP (because most good authentication protocols are two-way), but I think you need that anyway in order to serialize your knocks.

  16. Re:Open a whole range of ports by blazerw11 · · Score: 5, Insightful

    That depends on the NAT gateway

    No, the gateway or direct host has ALL PORTS CLOSED, however it does log port requests. If the log shows the knocking sequence, then and only then, will it open a port.

    --
    A great many people think they are thinking when they are merely rearranging their prejudices. -- William James
  17. Locked out of your own machine? by SassyDave · · Score: 3, Insightful

    It seems like a malicious user could keep you from connecting to your own machine by sending "malicious knock noise" to multiple ports. Meanwhile, your valid knocks would be disregarded as they are intermingled with malicious knocks. This may not seem like a big deal since the malicious user's connection could probably be stopped easily. But in a crisis it may cost you precious seconds or even minutes before you can eliminate the "malicious knock noise" and log into your system.

  18. Re:Oh, really. by Pieroxy · · Score: 3, Insightful

    I don't think you get it. This way of securing a port (22 for example) is obscuring in the sense it hide the fact that you have a service up (SSH) to the outside world unless you know the "knock code".

    You can then hide any service that is not to be known from the public (SMTP, POP, SSH, TELNET, whatever...) thus removing the probability that any exploit for these may be exploited: The hacker on the other end doesn't even know the service is running!

    --
    Write boring code, not shiny code!