Slashdot Mirror

← Back to Stories (view on slashdot.org)

Port Knocking in Action

Posted by CmdrTaco on from the crazy-security-through-obscurity dept.

tyldis writes "There was something called "port knocking" mentioned on Slashdot earlier, and now an implementation has sprung to life. Is this something worth pursuing?" The page is to an application called knockd which is a simple proof of concept with hard coded knock sequences. Really interesting stuff.

4 of 430 comments (clear)

  1. Another implementation by frobisch · · Score: 5, Informative

    is pasmal

  2. portknocking.org by trip23 · · Score: 5, Informative

    You'll find some more stuff on http://www.portknocking.org...

  3. Parent is wrong by Ernesto+Alvarez · · Score: 5, Informative

    Encrypted port knocking is pointless. Here's why: Port knocking only makes sense if the protected system reacts to the individual knocks as if there was no port knocking system. Only when the knock sequence has been completed it opens the port. This means that you can't do any handshaking. All communication is one-way until it's "too late".


    The idea in the grandparent post wasn't a challenge-response in the traditional way. It was some authentication data along with the knocking.
    The knock won't be encrypted, but it will have some data that is characteristic of the source (the source IP) that can't be spoofed (because of the password and the one way hash).

    An example of this would be:

    1.Real owner takes his IP (public info)
    2.Real owner takes his secret password (known only to him)
    3.Using IP and password he computes the hash and sends it in the knocking packets (let's say it's in the IP id)
    4.The receiving system captures the knocking packets and takes IP source and the hash
    5.It reads the secret password (from config file)
    6.It calculates the hash with the source IP and password

    If the hash sent and the hash calculated match, the system "accepts" that part of the port knocking. If not, discards the packet.

    An intruder might only spoof the whole packet (including IP source) and might open the firewall only for that IP. If he tries to use the hash to open it for HIS ip, the calculated hash won't match the hash sent. He cannot calculate the hash he would need because he does not know the password, and the hash is one way.

    In this protocol the target system does not need to respond with a challenge, it just discards packets that are "spoofed" (that have a non matching hash).
    --
    GPG 0x1B479C78
  4. Re:one of many by Anonymous Coward · · Score: 5, Informative

    Why not just mod me up instead? I provide links!