Slashdot Mirror


"Port Knocking" For Added Security

Jeff writes "The process of Port Knocking is a way to allow only people who know the "secret knock" access to a certain port on a system. For example, if I wanted to connect via SSH to a server, I could build a backdoor on the server that does not directly listen on port 22 (or any port for that matter) until it detects connection attempts to closed ports 1026,1027,1029,1034,1026,1044 and 1035 in that sequence within 5 seconds, then listens on port 22 for a connection within 10 seconds. The web site explains it in some detail, and there is even an experimental perl implementation of it that is available for download. I can't think of any easy ways you could get around a system using this security method - let alone even know that a system is implementing it. Another article on port knocking is here."

7 of 950 comments (clear)

  1. not bad by maelstrom · · Score: 5, Insightful

    But it does seem like a layer of obscurity to what should otherwise be a secure port. What if someone is sniffing your network? Unlike an encrypted password, they could easily replay this sequence and gain access to your "hidden" port.

    --
    The more you know, the less you understand.
    1. Re:not bad by h4x0r-3l337 · · Score: 5, Insightful
      The whole point behind port knocking is the wrong impression that "open" ports are more insecure than "closed" ports. This is totally bogus.

      No it isn't. A closed port does not accept any data, therefore you cannot attack the application "behind it". A port that is open is only as secure as the application listening on that port, which AT BEST is as secure as a closed port, assuming the listening service is absolutely perfect, and has no flaws whatsoever.

      There does seem to be some confusion as to what it means for a port to be "closed", judging from most of the posts I've seen so far. You can close a port, but send "connection denied" replies to anyone trying to connect. This makes the port itself safe, but tells the attacker that there is in fact a machine there on the network (which could be a reason for an attacker to continue to probe and/or attack you in other ways). You can also close the port by not responding to anything directed at it at all. If *all* of your ports are like this, an attacker won't even know if your machine is turned on or off, or if there's even a machine there at all. In a way, you've become invisible. Ideally, that's what you want. Port knocking is simply a way to allow your machine to be invisible while still being able to initiate connections to it from arbitrary IPs.

  2. Before you complain about "Obscurity" by pclminion · · Score: 5, Insightful
    This adds a layer of obscurity to a security policy. It can't substitute for security, but it certainly can help.

    An analogy would be a military base with a ten-foot-thick steel blast door. This is like having a door that teleports around at random, which can only be frozen in one spot by speaking some magic word. Even if you know the word, you still don't have the key to the door. But if you do have the key, you still can't get in without the magic word because the door keeps teleporting around.

    Obscurity is great, if it is part of a layered security policy which is ultimately based on strong cryptography. This is a really cool idea!

  3. Not good by glpierce · · Score: 5, Insightful

    "The "knocking ports" could also be configured that if there are random hits to the standard port without the proper knock, the system could lock down for 30 seconds and even ignore the proper knock so that if somebody's trying to brute force all the possible knocks, they'll never get feedback when they have the right one."

    That would just create a new variant to DOS attacks. Instead of taking you offline, they just persistantly knock on random ports, thereby disabling your ability to communicate with trusted sources.

    --
    G
  4. Security through obscurity by Dominic_Mazzoni · · Score: 5, Insightful

    As everyone else is saying, this is just security by obscurity. That doesn't mean that you shouldn't use it, because it probably would help a lot in keeping out script kiddies and casual hackers. But the flip side, as always, is that you're giving yourself and your users a false sense of security when you pretend that measures like this will actually prevent motivated hackers from getting past it.

    The most obvious way to break into a system like this is to compromise a nearby machine first and install a packet sniffer. Once you can see the traffic to the host running this port knocking system, it would be easy to discover the pattern. In fact, port knocking is less secure than a lot of other nonstandard authentication mechanisms because you could figure out the secret simply by looking at packet headers (since they contain the port numbers).

    The other problem I see with this system is that it requires users to either memorize the secret knock, or use a program that automatically knocks for them. Since most people have a hard time even remembering all of their usernames and passwords, you'd see a lot of people writing down the knock, sending it via email, or writing scripts to knock for them. Dozens of opportunities to a hacker, especially one skilled in social engineering, to figure out the knock.

  5. Obscurity IS Security by CedgeS · · Score: 5, Insightful

    There is only one form of security for a publicly accessible interface: obscurity. What is a password? It is a piece of information that you know that someone else doesn't - it is obscurity. The key to your house is something you have that someone else doesn't. If they knew the obscure details of your key they could make one. What is a private key, a key for SSH, a kerberos function? They are all information you know which (hopefully) a potential attacker doesn't. This is obscurity.

    If you have a security system for a public interface (the front door to your house, a computer port, etc...) that does not rely on obscurity you have a system better than any theoretical system anyone has ever thought of. (Biometrics don't count - they are just another piece of information that you have that someone else probably doesn't. That's obscurity.)

  6. Re:Open a whole range of ports by blazerw11 · · Score: 5, Insightful

    That depends on the NAT gateway

    No, the gateway or direct host has ALL PORTS CLOSED, however it does log port requests. If the log shows the knocking sequence, then and only then, will it open a port.

    --
    A great many people think they are thinking when they are merely rearranging their prejudices. -- William James