Slashdot Mirror
"Port Knocking" For Added Security
Jeff writes "The process of Port Knocking is a way to allow only people who know the "secret knock" access to a certain port on a system. For example, if I wanted to connect via SSH to a server, I could build a backdoor on the server that does not directly listen on port 22 (or any port for that matter) until it detects connection attempts to closed ports 1026,1027,1029,1034,1026,1044 and 1035 in that sequence within 5 seconds, then listens on port 22 for a connection within 10 seconds.
The web site explains it in some detail, and there is even an experimental perl implementation of it that is available for download. I can't think of any easy ways you could get around a system using this security method - let alone even know that a system is implementing it.
Another article on port knocking is here."
Something tells me I'm going to be seeing a lot bigger firewall logs in the future, as this catches on.
But it does seem like a layer of obscurity to what should otherwise be a secure port. What if someone is sniffing your network? Unlike an encrypted password, they could easily replay this sequence and gain access to your "hidden" port.
The more you know, the less you understand.
This is secure in the same way 50-character passphrases are secure, sure they are harder to crack but who the hell is goig to remember them. The harder you make something to use, users will start trying to find ways around it.
whats more, connection attempts are easy to sniff, you might as well be using telnet...THIS THING IS BEGGING FOR A "REPLAY ATTACK".
I though about this along time ago as a way of hiding a trojan. Of course I didnt patent it so no money for me : /
Im not here now... Im out KILLING pepperoni
This security is easily defeated if the connection can be sniffed to find the 'secret handshake'.
little pig little pig...
let me in
Am I the only one who heard Beavis say "Port Knocker!"?
Probably...
---- It puts the lotion on its skin or else it gets the hose again. It does this whenever it's told.
I can't think of any easy ways you could get around a system using this security method - let alone even know that a system is implimenting it.
Sniffing.
Right now, script kiddies have their computers automatically try to access other peoples' computers, looking for ones without firewalls, etc.. If this happens, wouldn't you expect them to just send out random knocks in the hopes of getting something? If that happens, you will be more secure personally, but the increased traffic may cause more problems that it solves.
G
Knock knock...
;)
Who's there?
Usher.
Usher who?
Usher wish I could SSH to your server!
Sorry...
libertarianswag.com
Interesting. So the next step would be to have one-time port knock sequences a-la one-time passwords (to defeat adversaries who are grabbing a copy of all your packets). But it seems like there is a race condition between the delay after the knock and the actual connection. Anyone have a solution to this?
An analogy would be a military base with a ten-foot-thick steel blast door. This is like having a door that teleports around at random, which can only be frozen in one spot by speaking some magic word. Even if you know the word, you still don't have the key to the door. But if you do have the key, you still can't get in without the magic word because the door keeps teleporting around.
Obscurity is great, if it is part of a layered security policy which is ultimately based on strong cryptography. This is a really cool idea!
That is a very old method i developed with my friends. We would only open the door after a "secret" knock sequence. We had seen this on TV and thought this would be cool. We jeopardized the security regularly when we said "wrong knock" after someone else knocked. Usually parents. Then they would say "open up". And we had to comply.
I was thinking about implementing this a while ago; I guess it's an obvious enough idea that others have been thinking along the same lines. This is equivalent to to putting a password on access to the port.
Ideally, the implementation will only consider connection attempts originating from the same IP address.
There is an easy way around it. The problem is you will make yourself very obvious. Simply pick a time at which the server in question is in high use. Hammer the port. Eventually someone will knock on the door opening it for 10 seconds and you put your foot in the door before they do. The other way is if you can get a packet sniffer simply look at the packets that came before and determine the secret knock.
This is still an interesting idea and definitely has at least a few places in which it would be an effective authentication mechanism.
The GeekNights podcast is going strong. Listen!
Is the site slashdotted...
...or do I have to knock my way in?
I demand the Cone of Silence!
Except it hides that the port is open at all, which is useful.
The idea was that you didn't want to disclose that you were running a Freenet node unless the person connecting to you already knew your node's public key.
So when someone wants to establish a connection to you, they must send some encrypted data providing they know your public key. Your node can receive this data and only respond if it is correct. Furthermore, you could let your Freenet node sit on port 25, for example, and forward invalid connection attempts to a mail server on a different port.
Through this mechanism, your Freenet node could quite effectively hide behind another server, only making itself known to those already part of the Freenet network.
IIRC this wasn't actually implemented in Freenet, but it is the intention to add it at some point. Still, it is amazing how many ideas were pioneered by Freenet years ago and are only showing up in the wider public conciousness now.
I predict a flood of commenters whining about this being "security through obscurity."
Yeah, just like passwords are "security through obscurity."
This is essentially another level of passwords, but sounds useful for hiding those services that could have vulnerabilities *cough* OpenSSH *cough*.
Will this technique itself have possible vulnerabilities?
It should be noted that this is NOT (necessarily) an example of security through obscurity. One could treat the port-knocking sequence as a "key". Long enough keys could make port-scanning impossible for anyone who doesn't know the key. Real mathematical cryptography is based on a similar principle.
Also, this is only a defense against port-scanning. Even if someone did manage to break the knocking sequence, they would still have to use some kind of exploit against the machine on the port they discovered.
-3Suns
~~~~
The Revolution will be Slashdotted
The shady side of hackerdom has been using this very technique to hide their backdoors from port scanning admins. Or, uh, so I've heard...
"The "knocking ports" could also be configured that if there are random hits to the standard port without the proper knock, the system could lock down for 30 seconds and even ignore the proper knock so that if somebody's trying to brute force all the possible knocks, they'll never get feedback when they have the right one."
That would just create a new variant to DOS attacks. Instead of taking you offline, they just persistantly knock on random ports, thereby disabling your ability to communicate with trusted sources.
G
What if multiple attempts from the same IP are made to access the port at the same time? Wouldn't the knocks get all mixed up?
Mad Software: Rantings on Developing So
OpenSSH is a great peice of sodtware - but it's so huge that I can't help but think that their could be flaws in it (like the one of 6 months ago)
I would love to layer another peice of security infront of OpenSSH and this seems like a great idea.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
Has anyone implemented a system where a service would be stopped if the ports next to it were scanned? i.e. if 1024, 1025, 1026, 1027 were scanned, a service running on 1028 would stop.
Could this be implemented with IP Tables under Linux? I remember seeing a set of rules to detect a port scan; could a similar set of rules be used to unlock a port for a given remote IP number?
Of course, this won't take off unless there's also knocking support built into the clients (like ssh).
As everyone else is saying, this is just security by obscurity. That doesn't mean that you shouldn't use it, because it probably would help a lot in keeping out script kiddies and casual hackers. But the flip side, as always, is that you're giving yourself and your users a false sense of security when you pretend that measures like this will actually prevent motivated hackers from getting past it.
The most obvious way to break into a system like this is to compromise a nearby machine first and install a packet sniffer. Once you can see the traffic to the host running this port knocking system, it would be easy to discover the pattern. In fact, port knocking is less secure than a lot of other nonstandard authentication mechanisms because you could figure out the secret simply by looking at packet headers (since they contain the port numbers).
The other problem I see with this system is that it requires users to either memorize the secret knock, or use a program that automatically knocks for them. Since most people have a hard time even remembering all of their usernames and passwords, you'd see a lot of people writing down the knock, sending it via email, or writing scripts to knock for them. Dozens of opportunities to a hacker, especially one skilled in social engineering, to figure out the knock.
one could also change the sequence of ports that are used to be based on some key/progression/timestamp? so the knock is constantly changing... so even if someone sniffs the knock, it wont help.
"Nyquil - The stuffy, sneezy, why-the-hell-is-the-room-spinning medicine."
come on kids. Have we not learned our lessons? Even as a one time pad, this is lame
You are very much missing the point. Yes, security through obscurity is terrible when it is the only security method you use. However, it can be used to augment a better security system. Even if somebody figured out the secret knock, they would still have to get past your sshd. And if an sshd exploit was found, your secret knock might give you enough time to patch the system before it could be exploited. More security is always a good thing.
Disbelief in security through obscurity doesn't mean you have to paint a bull's eye on your head and dare people to attack you.
Toronto-area transit rider? Rate your ride.
Improperly done, the knock sentry could become a security/QOS issue in itself.
This definitely is security through obscurity and perhaps would work in the same way as a car alarm. There's lots more systems out there that are easier to break into, and if someone does try, just hope that they get fed up and moves on to the next one.
If you've gone this far, why not do something like they do on radio. Open up severable ports at the same time and multiplex your signal over several of them while sending noise over the ununsed ports randomly switching between ports using a syncronized random selector.
Implement it in combination with a onetime type password arrangement. You look up what the series of knocks is supposed to be on your secureID card (or whatever), then knock in the combination it tells you to use. Tie it in with the server you want to get into, and the port you actually connect to for ssh can be different every time.
IE, secureID says sequence is "1234 1441 1114 5123", you knock on the first three, and 5123 is the ssh port activated for you only.
Casca
Somebody do the math, but it doesn't look to be that secure. Brute-forcing this would not take long.
Assuming a 5 'letter' password, you have (2^16 - 1024)^5 possible passwords, which is 1.1 X 10^24. Assuming both the server and the attacker are on fat pipes and the server is implemented in a dumb way so that it doesn't recognize brute-force attempts, you could pull off perhaps 100 attempts per second. So it would take you about 10^22 seconds, or 350 trillion years.
In security, I think this technique is comparable to a reasonably strong plaintext password. It can be sniffed, but it can't really be brute-forced.
Today's show was brought to you by Google Calculator.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
There is only one form of security for a publicly accessible interface: obscurity. What is a password? It is a piece of information that you know that someone else doesn't - it is obscurity. The key to your house is something you have that someone else doesn't. If they knew the obscure details of your key they could make one. What is a private key, a key for SSH, a kerberos function? They are all information you know which (hopefully) a potential attacker doesn't. This is obscurity.
If you have a security system for a public interface (the front door to your house, a computer port, etc...) that does not rely on obscurity you have a system better than any theoretical system anyone has ever thought of. (Biometrics don't count - they are just another piece of information that you have that someone else probably doesn't. That's obscurity.)
Does anyone know the secret knock for www.portknocking.org:80 ?
Thanks.
SPAM
One interesting way to use this would be to forward incorrect knocks to a honeypot instead of the legitamite service. Then the attacker could never determine if he had indeed knocked successfully and would waste time running around in a fake system giving you valuable data about there intrusion methods and freeing up the actual service for legit users.
How many people are going to say sniff and repeat the sequence. You still have to get through the service after it opens. The whole point is that they don't know what is going on in the first place. And rotating keys are a good idea anyway. I like this idea for running some kind of server behind your ISP that normally doesn't allow such things. When I had excite@home I would regularly get firewall logs that said "authorizedscan.home.com" portscanning me.
the 'hammer' will have a different IP than the authorized 'knocker'
every day http://en.wikipedia.org/wiki/Special:Random
Wouldn't he have had to hack a computer closer to his target in order to be successful?
Wouldn't the best option be to have some type of SecurID based password in order to access the port? Unless there is a bug or hole in the software isn't a randomly changing password that requires a pin about as good as it gets?
And as they say, Security through obscurity isn't.
"Thanks to the remote control I have the attention span of a gerbil."
Although people are right in saying that packet sniffing can easily defeat this, I think it still improves security.
It leaves the impression that the machine has no ports open, so script kiddies will leave you alone. Also, an attacker can't just exploit a server bug to crack the system without also being in a suitable location to packet sniff the knock combination to get the port open in the first place.
Homme petit d'homme petit, s'attend, n'avale
They gave away half of their "obscurity" by releasing the concept to the world. If they were really interested in the security aspect of port-knocking, they wouldn't have posted the concept on the WWW. As an unobscure authentication system, I feel its value is quite limited.
Interesting concept... I thought of this 2 years ago and I'm now kicking myself in the balls for not acting on it! (not literally)
In my version of "port knocking", everything was going to be controled via ICMP echo packets.. aka "ping".
A single Ping packet can contain arbitrary data of an arbitrary length less than 64k. Through a config file, the system admin could define ping sequences using time, data, and/or packet size, along with a specified script to execute on each successful reception of the ping sequence.
Then, remotely, people who know the ping sequences could use almost any available ping utility on any machine to open remote ports, etc.
The concept of executing a script, rather than opening or closing ports, allows for more flexibility. Not only can the admin open and close ports via scripts, but could do other useful things.
Skiers and Riders -- http://www.snowjournal.com
Yeah, but you don't send out public packets when opening a combination lock.
/. article..."
Plus, thing about it this way:
* someone notices an SSH connection
* someone portscans, notices port 22 is closed
* someone thinks, "hm, there was that
* someone waits around for you to re-connect, and watches what closed ports you connect to
See? that easy.
--TheOrangeSquid Is it any wonder things seem so awry? We swim in a sea of confusion and don't have to think to survive
Let's say the correct squence is ports 2000, 2002, 2004. You could add a check that says if there is a knock on port 2001 or 2003 then this guy is locked out for a while.
on debian-security a couple of months back.
Anyway, one of the biggest problems is failure rate. If that "secret knock" fails unless you correctly use the appropriate sequence of knocks, then anyone malicious can implement a trivial denial-of-service attack just by constantly hitting random ports, preventing any knock completion.
Alternatively, if you ignore non-knockable ports, or ports that aren't part of the knock, then you've dramatically whittled down the strength of your virtual password, and made it that much easier to brute-force.
Perhaps this would deter some of the lowest levels of sk|21p7 |<1dd13z from getting in, but that would be true only for about two weeks, whereupon new toyz are released that automate these attacks, and you've given the black hats one more weapon (DoS through spoofed noise packets) in the meantime.
I guess if you really, really wanted to do this, you could have a single accessible port that would listen for access, and then receive an encrypted key that determines which other port your server opens for a possible connection. But basically all you're doing then is adding on another layer of password protection, whose effect will be circumvented when somebody finally decides it's annoying to have to login twice or enter multiple passwords, and sets them both to the same thing, on auto-login, then leaves his laptop sitting around for three minutes. And you've still not fixed the sniffing problem. There are bigger security soft spots to be addressed than trivially hiding access to your ssh port.
Freedom isn't free; its price is the well-being of others.
This looks similar to how frequency-hopping is used on secure radios.
Two radios synchronize, based on a key, and both change frequency every so many milliseconds. If you don't know the key, you can't send or receive to either of them.
I would like to see this extended to a port-hopping system for all ports and services. Sure -- it will burn some clock cycles, but I like the approach.
- Sam
http://www.iamsam.com
This method is already used by the proof-of-concept linux backdoor cd00r, written in 2000.
#1. DoS attacks - how is this different from any other DoS attack?
#2. Sniffing the port knocks - to do this, you would already have to have the upstream compromised or be on some shared network.
Not if your network is using a wired switch to connect the hosts. By definition, you should only see broadcast and unicast to your IP, not the whole network. This could be more of an issue if you are using a shared network link 10base2 or 802.11.
"Those who make peaceful revolution impossible, make violent revolution inevitable" - JFK
site up
knock 80
knock 80
knock 80
site down
The summary says that the ports to knock on are closed. Portscanning shouldn't reveal which ones are available to be knocked on.
University - a box of academia nuts.
i've been running SSH on a nonstandard port with this in the way:
iptables -N ${SSH_TABLE}
iptables -Z ${SSH_TABLE}
iptables -A ${SSH_TABLE} -m state --state NEW -m limit --limit 2/minute --limit-
burst 2 -j DROP
iptables -A ${SSH_TABLE} -m state --state NEW -m limit --limit 7/hour --limit-bu
rst 7 -j DROP
iptables -A ${SSH_TABLE} -m state --state NEW -m limit --limit 10/day --limit-bu
rst 10 -j ACCEPT
iptables -A ${SSH_TABLE} -j DROP
well, I thought it was cool...
Keep your packets off my GNU/Girlfriend!
That depends on the NAT gateway, as per the original poster. If the NAT gateway is dropping all packets that aren't part of a) valid incoming connections or b) a port knocking scheme, a portscan would reveal some or all of the ports utilized in the port knocking scheme. Ports that are closed but part of the knocking scheme would return a connection refused, while all the other (filtered) ports would simply be dropped.
Granted, most anyone implementing this sort of security setup on their firewall would most likely think about this and either a) open an entire range of ports, only some of which would be used for port knocking (as a previous poster mentioned) or b) simply close everything at the NAT gateway and not drop any packets, thereby not revealing any detail regarding a port knocking scheme.
I'm sure there are several other ways to deal with this at a NAT gateway, but they just aren't coming to mind at the moment.
Fully licensed blockchain psychiatrist
I wrote proof of concept code for this a few years ago. Mine is implemented as modified network sniffer code (with promisc disabled), so it doesn't require any weird firewall configs. I was considering some other things which could be useful, such as transmitting data via a fake network scan.
Most switches have, uhh.... "features" that allow an experienced attacker to trick them into broadcasting traffic to multiple ports.
Essentially, with a little judicious arp spoofing and a flood or two, the switch can be confused into just "making sure" the packets get to the right destination by broadcasting like a hub when it would normally be switching.
The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
It isn't the port. It's the service listening on that port.
If the port is closed, then it is impossible to attack that service through that port.
This process closes those ports.
This system is going to be unreliable. No way around it. A single dropped packet and you have to try all over again. If you're really paranoid, like some have proposed, and disable the "knock monitor" temporarily if someone tries to connect unsuccessfully, it will also be horribly slow.
If you use it on a LAN, maybe the net will be reliable enough, but then you have to worry about sniffers...
PHEM - party like it's 1997-2003!
Require syns to ports A, B, C, and D, which opens port E where you have to send a password, which opens port F from which you must do an HTTP GET for /foobar.html, which opens ports G which when connected sends you the number of random port H, on which an anonymous FTP service is now running to which you must send a SITE STARTIT command then download the number of port I, which will be the SSH service once you've pinged the server 7 times with 42 byte packets. And to make it really challenging, you have maybe 10 seconds to complete the sequence. (Think a lot of terminals just waiting for you to hit 'enter'... The pings would take most of the time.)
Oh, and if you do anything wrong after the first 3 ports are hit, you can't try again for 30 seconds.
Everyone has focused on the "does it make you more secure" arguments about this method. I'd be more interested in how it can be implemented properly since no TCP connection is being established using the knocks. I'd assume either a TCP SYN is being sent to the TCP ports, or the protocol uses UDP.
.9^10, or 35% chance of my sequence getting to its destination intact. 5% packet loss would up my chances to about 60%. Increasing amounts of knocks decreases my chances of the sequence arriving intact.
The problem is of course that since no connection is being established, there's no guaranteed delivery of packets, and no guaranteed delivery of packets in the order they were sent. This could be very problematic across network connections that drop packets, and provide you no feedback as to why you can't open your connection. If only 10 % of my packets get dropped, and I require 10 "knocks", I only have
Is there a clever way to solve this problem, or is the reliability of it tied to a low amount of packet loss on a network?
AccountKiller
I see a lot of comments saying "Well, why not just have two passwords?". It seems that people didn't read the article (the first link is /.ed, the second is not). The whole point is that with this, until you knock, the machine appears as a closed machine. No ports open. All ports will simply drop packets on the floor, meaning that a hacker scanning your subnet will not bother with that machine. The machine essentially appears invisible until knocked. Even with the most secure system, the hacker can still see that you're running, say, sshd, Apache, CUPS, and a few other services. And if a buffer overflow was announced 5 minutes ago for, say, sshd, they know that they can attempt to exploit the machine, since they see port 22 open. If you are using Port Knocking, you can have a vulnerable sshd, and it's a hell of a lot less likely to get exploited since the cracker has no way of knowing that you're running sshd...
There is no sig, there is only Zuul.
God damn, if I hear one more of you go, "this is just security through obscurity!" I am going to puke. This is the same as cleartext passwords, which are pretty secure if (a) you know nobody is sniffing the network and (b) you know nobody is masquerading as the host you want to connect to. Of course those things aren't typically true, so this alone isn't very secure. But it does disguise your exchange which, contrary to what the security-through-obscurity folks are saying, does give you some small measure of security.
This is just a way of encoding some bit transfer in the IP protocol instead of in the beginning of whatever protocol you're using after the connection. You could also use it to send cryptographic credentials which could be as secure as any other protocol (plus some extra security by obscurity). The only problem with that is that you need a way to send back information via TCP (because most good authentication protocols are two-way), but I think you need that anyway in order to serialize your knocks.
My question is how much better is it than simply moving your services to non-standard ports?
Quite a bit better, since it is easy to scan 65k ports serially to see which ones are listening, but much harder to scan a jillion combination of port sequences to see which ones are listening.
Congratulations. You've just extended your "secure" corporate network beyond the physical walls of the office, and into the house of one of your employees. Are you sure that the machine they're using as a VPN client hasn't been rooted? VPNs have their uses, but they're far from solving this problem, and in many ways weaken your overall security. The correct solution is to change the authorisation criteria from things you know (password, "secret handshake") to things you know plus something else, for example, things you have. We do this with one time passwords sent to a user's mobile phone. Once that's been entered, they're prompted for their normal password. Thus even if the box has been rooted, and has keystroke and network sniffers galore, it doesn't matter. So long as the black hats don't have my trusted employee's mobile phone, they're not going to get in (and furthermore, the unexpected passwords being sent to the phone act as an early warning system to let us know someone's trying to break in). Of course, no security measures are perfect, and theoretically, with root access, they could hijack an existing ssh connection once it's been opened, but it's non-trivial, and we've raised the bar considerably.
"The invisible and the non-existent look very much alike." -- Delos B. McKown
"open port Y for ip Z using key K"
if the port opening policy accepts this command then it is opened otherwise it is not. Better yet 'REAL' crypto could be used to protect the ports. Fore example...
"open port Y for ip Z @ TIMESTAMP" Encrypted by K.
This simpler implementation (more likely to be correct) will provide equivalent security.
This is a great way to hinder people from randomly picking to hack your box by scanning for open ports. However, if someone is dedicated to hack YOU specifically, they could still use a man-in-the-middle attack, sniff the packets to see which port sequence you were using, etc, etc.
Of course, there really is no way to block a skilled hacker who is intent on breaking into a specific network/box by any means necessary.
actually, you only really need arp spoofing, or rather poisoning. By sending spoofed arp reply packets you trick the target into thinking your computer is the router and vice versa. You can then forward the traffic between the two, so that it is totally transparent to them. It's the classical man-in-the-middle attack.
Switched networks are definitely not safe from sniffing, it just makes more "noise" to do so.
This is security by obscurity, but it is useful. Don't repeat this mantra just because "the experts" say so.
Since some still don't understand its use, i'll be speaking metaphorical:
Assume you need to have a special key to open a certain otherwise secure door. OpenSSH might be that door and your passphrase and your certificate are the key.
An attacker can still forge the key or attack the lock with a different approach, picking etc. - comparable to "social engineering" to get the password, brute forcing or exploits.
And that port knocking sequence now effectively hides the lock, leaving an attacker without a first approach to pick or break the lock. It just adds another layer of security. You just don't know where to start your attack. You can't use exploits, you can't try brute force - nothing, heck you don't even know what type of daemon your target is.
A clean stainless steel door with a covert RFID-detector one square inch in size, hidden somewhere, sure as hell beats the same door with a clearly visible lock. You still need to pick the lock, but you can't poke your lockpicking tools into solid steel and you can't crack something you cannot discern.
--- Still one addition to say: having a machine connected to the internet with no ports open makes you a prime suspect for the port knocking scheme.
A good stealth scheme may be implemented, so a potential attacker (excuse for this metaphor again) does not even see the door (or the building, for that matter).
That depends on the NAT gateway
No, the gateway or direct host has ALL PORTS CLOSED, however it does log port requests. If the log shows the knocking sequence, then and only then, will it open a port.
A great many people think they are thinking when they are merely rearranging their prejudices. -- William James
Kris Gleason implemented a similar scheme in his gettyps code back in the 90s (it still available and in most distributions). For the "knock" one would dial into a modem (or any serial port) and let it ring a specified number of times. If the right number of rings was received before disconnect, gettyps would allow the next call to connect.
Michael.
Linux : Mac
Butthead: "Uhhhha, I am gonna emale you....in the butt.
Beavis: "Shutup! Port-knocker!
I did this about 5 years ago. But my method was a bit different. Instead of using port numbers to contain the information (and that's all it really is, is just information), I sent a single UDP packet, with a source port of 53 (so it looks like a DNS answer), formatted like a DNS answer, that contained the information in the DNS answer data. Then it opened the SSH filter for that IP address to come in (I did it for 5 minutes, not 10 seconds). It still had to fully authenticate via SSH, so even if someone sniffed my DNS packet and tried to fake it, they could at most have a locked door to jiggle the handle on. Next time I do this, it will be to generate an MD5 checksum from the client IP and a secret salt, and send that as an IPv6 address in the packet. Then it can't even be faked from some other IP address.
now we need to go OSS in diesel cars
What if I turn this whole thing around and install fake services on a number of ports?
For example, whenever you make a connection to a port between 1025 and 2048 on my system, you're greeted with "OpenSSH ...", and prompted to authenticate. But only behind one among those 1024 ports is the real SSH. On any other port, the fake service takes the username and password you've entered, wait a few seconds (just idling around), and tell you "Authentication failed". If you try too often to connect to faked services, you're put on the black list to avoid DOS, of course.
This is a neat trick, but it does not really increase protection against targeted attacks.
It really is nothing more than a password to get access to the front gate... When somebody eavesdrops (sniffing), they will know the passwords, thus get access to the gate. They can sucessfully detect the knocking sequence because it is followed by a successfull ssh connection (duh!).
The password is this 'secret sequence' in this 'port knocking'. Why not just use a daemon that listens on a UDP socket for a packet with an encrypted password in its payload? The payload could even be an RSA-signed and/or encrypted request (that includes a timestamp). That would be unscannable too, because UDP is connectionless, and be a lot more secure because of the real encryption/protection of the request data (the server can verify the identity of the sender of the request from the RSA signature, and can deny the request if one was made earlier with the same time stamp, twarting even sniffing of the UDP packet).
Except for not having the ssh daemon 'connected' to the internet at all times and thus evading many port-scanning worms/scripts, this port knocking is nothing more than just some security through obscurity: At best it will delay the attacker somewhat, but probably not at all while giving the user a false sense of being secured.
--- Hindsight is 20/20, but walking backwards is not the answer.
It seems like a malicious user could keep you from connecting to your own machine by sending "malicious knock noise" to multiple ports. Meanwhile, your valid knocks would be disregarded as they are intermingled with malicious knocks. This may not seem like a big deal since the malicious user's connection could probably be stopped easily. But in a crisis it may cost you precious seconds or even minutes before you can eliminate the "malicious knock noise" and log into your system.
Back when I depended on a dialup connection, I used xringd. By having the phone line the modem was on ring in a certain pattern, I could command the computer to dial up (using diald). Then a line in /etc/ppp/ip-up.local would mail me the IP address the PPP server assigned the computer (this was before DynIP or DynDNS). I'd then be able to log into the machine. Pretty darn cool for 1996.
I don't think you get it. This way of securing a port (22 for example) is obscuring in the sense it hide the fact that you have a service up (SSH) to the outside world unless you know the "knock code".
You can then hide any service that is not to be known from the public (SMTP, POP, SSH, TELNET, whatever...) thus removing the probability that any exploit for these may be exploited: The hacker on the other end doesn't even know the service is running!
Write boring code, not shiny code!
It doesn't actually use significant resources unless it's getting pounded with lots of packets, and you can limit this by only listening on a few ports, blocklisting IP addresses that knock on the wrong ports, and limiting the rate that you actually respond to requests from a given IP address. On the other hand, you have to be careful not to let the attacker spoof a bunch of _bad_ requests, causing you to blocklist a real site. Depending on how much eavesdropping capability the attacker has, this may be easy or hard.
The security advantage of this method over a single-port method with a password is that there are applications that you run which may have bugs in them, such as your SSH server or SNMP monitors, which you're not going to rewrite, and it lets you block access to them except from authorized users. It's a defense-in-depth strategy, possibly good (though it looks clumsy to me.) It can cut down on lots of the script kiddies.
Also, this doesn't have to be in your main server. This is the kind of application you could build into your firewall box, so it reduces the number of ports that can pass through the firewall, except when somebody knocked successfully, and the firewall doesn't allow passthough on the knocking ports. Of course, you could accomplish almost the same thing wiht better security by accepting SSL requests to an application on the firewall...
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
This is a great idea.
It adds security to any existing methods (passwords, etc.).
It can be implemented behind a firewall that doesn't even respond on any port probes, so an attacker can't even tell if the firewall was just unplugged.
If the firewall stays closed, the protocol can't be used by an exploited machine, unless a method for exploiting the firewall is also known.
Or the method can be implemented in user space of a machine behind a completely closed firewall, just by pre-arranging for the logging of firewall port probes, and the forwarding of appropriately filtered contents of the firewall logs into user space.
They key sequence can also be made long enough to make it just as hard to crack as a long pgp private key, e.g. nobody except (3 letter agency) and distributed.net will even bother to try.
The sequence key can be from a one-time pad, meaning that even if the protocol is completely revealed to a local sniffer, they'll just end up with a useless password.
And lastly, it's possible to additionally encode the key sequence with a modulation wrapper and enough redundancy to withstand a given signal to noise ratio and mis-sequencing rate, which means one could even make the sequence key usable in the face of probing or an outright DoS attack against the protocol up to a certain attack bandwidth and knowledge of which ports might be in the sequence.
Where's my coding textbook and patent attorney...
http://www.portknocking.org/view/about/obscurity
It does a much better job of explaining this than anything yet posted here.
Sorry, wrong. There are several messages in this thread that mention REJECT (response to packet) instead of DROP (total silence). With this scheme in place, you need not listen on *any* ports, and you need not respond in any way. You can have a totally silent box, even with 10 or 20 services "listening". Nothing gets through until your iptables/ipchains software allows the traffic through.
Admittedly, if you're running a public site, you're mixing two kinds of solution --- publicly available vs secured, but analogous statements can be made here - you can't tell a public site using port knocking for some special services from a public site that doesn't support same.
This is like a void fn() in C (no return status). You knock on the 5, 10, or 25 ports in the right sequence to "send your message". You get nothing back. You then try to open the port that is your ultimate destination - if it's open, you're fine, if it's not, you have issues. This isn't a full-duplex kind of protocol, folks. I love it :-)
Thus, it is impossible to distinguish a totally silent box (listening on no ports, dropping all packets) that has implemented port knocking from a box that is merely totally silent.
As a two-laptop user who attaches to corporate LANs and public high-speed networks in hotels, I just love the idea of having all packets dropped until someone sends "shave & a haircut!" - then letting them in for a bit.
It would certainly be better than my current approach - using ethernet addresses (maclist in Shorewall! :-) to allow ftp and http etc to my linux box.
Redundancy is good; triple redundancy is twice as good! - Me.
Seems vulnerable to traffic analysis, as someone mentioned you don't use a combination lock that sends packets all over the world. People will want more complicated sequences, but it will take more time to send them and they may have to resend due to TCP packets coming in different order. But even so anybody on your network or the server's network should be able to see what's going on, how secure is that? And if the server ever responds to your ip from any port then you likewise hosed.
On the other hand this does seem to be an interesting way to one-way send information to the server. I was thinking of playing solitaire using Bruce Schneier's algorithm using a port for each card of a deck.
IANA cypherpunk, but there seem to be a number of ways to treat the set of all closed ports as a numerical space that would be interesting for encrypted communications.
For example you could convert a one-time pad, a private key, or a set of communication channels into a list of port numbers. For a short message at least, you could send with pretty good security (although the list of ports, if not their hash values, would be known to the outside world).
To me this knocking stuff sounds like it only *reduces* security and provides lots of interesting clues to men in the middle. The intriguing part seems to be that you can send a good deal of information through a large number of half-connections in parallel, but this may have already been tried by other people. Of course if the message is simple enough that a single ping to a single prearranged port number is enough to convey it, then you would seem to have a pretty strong system though its existence would certainly be uncovered sooner or later. But if this became popular I suppose the advantage would be in being able to assign certain ports to prearranged values, both for encryption purposes and also to reduce the amount of data you actually need to send.