Slashdot Mirror


Port Knocking in Action

tyldis writes "There was something called "port knocking" mentioned on Slashdot earlier, and now an implementation has sprung to life. Is this something worth pursuing?" The page is to an application called knockd which is a simple proof of concept with hard coded knock sequences. Really interesting stuff.

17 of 430 comments (clear)

  1. ISP Port-Scanning by ckswift · · Score: 5, Insightful

    This might be useful when ISPs routinely port-scan their subscribers to discover if their running services in violation of their TOS.
    This will allow your computer to appear not to be running services expect to the person who knows the magic knock.

  2. Fyodor must be busy... by stevens · · Score: 5, Insightful

    I'm betting that nmap binary is about to get much bigger...

  3. Nice start by javatips · · Score: 4, Insightful

    That's a nice start.

    It would be nice to be able to use one-time pad to generate the port sequence. By changing constantly, it would be almost impossible for passive listeners to snif the port sequence.

  4. Re:authpf? by smcavoy · · Score: 5, Insightful

    passwords and port knocking are two different things.
    A perfect example of what it could allow to be done is on knockd's homepage.
    Basically, ssh would not be an open port, you'd have to knock (connect to) the right sequence of ports, which would trigger a rule that could allow only the IP that made the successful knock, access to the ssh port.
    Then when your done you would have another sequence of ports you'd have to "knock" in order to remove the rule allowing access.

  5. Why is this more secure... by TheSHAD0W · · Score: 4, Insightful

    Than a single coded UDP packet?

    1. Re:Why is this more secure... by CyberVenom · · Score: 3, Insightful

      In that case, you could accomplish the same thing with a single ICMP packet that has in its payload a port number to open, followed by a hash built from the port number, current epoch time (as synchronized from the USNO clock), the password and the destination IP (to prevent the same packet from being replayed within 1 second against another server that has the same password). Viola! You now have a time-dependant, unilateral unlock mechanism piggybacked on an existing, allowed protocol, whose reply packets can easily be dropped in every case but a successful auth, making the server invisible to ping sweeps. The time sync window can be as small as a few seconds if both machines synchronize their clocks from the USNO. Obviously once a particular hash is used, the server should reject any further uses of that hash within 1 second to avoid instant replay attacks.
      A similar procedure could also be used to dynamically route ports (sort of like portmap) through a NAT firewall to specific hosts on the inside, thus moving the software requirement off of the server itself and onto the firewall. The client side can be just a small userland app to unlock the port, then the normal program can initiate the port connection (ssh, eMule, kMail, or whatever)

  6. Sniffing only works when on that network. by khasim · · Score: 4, Insightful

    You can only sniff packets on a network you are attached to.

    What that means in real life is that someone would have to be connected somewhere along the route from your machine to the server you're knocking on.

    I am in Seattle, I can knock on my server from another location in Seattle. Someone in Canada will not be able to capture any of my packets.

    Port knocking allows me to run a service on the Internet and not worry about just anyone from anywhere connecting to it.

  7. Re:Knock Knock? by DarkMan · · Score: 5, Insightful

    Meh, throw some cryptography into the mix.

    Take the source IP, add a password, take a one way hash. Include this hash in the knocking packets.

    Now, if you've sniffed the packets, then you won't know the password. So, you can spoof the source IP, in which case the port will be opened _for that IP only_, or you can send the knocking packets from you IP, in which case, you need that password, or you've just advertised yourself as a hacking attempt.

    In order to prevent a single password for everyone situation, it's not hard to include a user ID in the packets.

    Does need the application or firewall to allow connections to and from specific IP's only - but I really can't see that being an issue.

    Problem solved.

  8. Re:one of many by tverbeek · · Score: 4, Insightful
    port knocking is like having a deliberate hole in your carefully constructed secure zone.

    Well, yes. That's the point: to enable access to a secured system. It's often a necessary evil. The issue is that most people implement these deliberate holes by leaving certain ports open to simple direct access. They're easy to find, and not all that difficult to exploit. Adding a layer of obscurity and another layer of security on those holes - in effect putting a concealed combination lock on them - would be a more secure way of doing that.

    --
    http://alternatives.rzero.com/
  9. It's broken, and the real solution is simple by Anonymous Coward · · Score: 5, Insightful

    Sniffing the sequence allows a replay attack.

    The correct implementation is to listen in promiscuous mode for any packet containing a small, known header, then inspect the rest of the packet for a gpg-signed request to open a port or service, or alternately initiate a connection. Only the possessor of the private key can make a request (attacker's attempts fail the signature check), a man in the middle cannot decrypt the contents, and replay attacks are defeated by the timestamp.

    -1, Security by Obscurity.

    1. Re:It's broken, and the real solution is simple by Torne · · Score: 4, Insightful

      If you use signatures, IPSEC, or anything more complex than knocking, you need the client to support it. You can knock using nothing but telnet. That's kinda the point. =)

  10. Re:About as secure as telnet(1) ie not. by eth00 · · Score: 3, Insightful

    Yea but if you have ssh open with this it is just another layer of security. It is hard to truly secure a box with no openings and this is just one more thing that will trip people up. If you implement this and somebody tries to brute force your password or something it would certainly take longer (if they are not locked out because so many tries first). In todays world it is just one more tool that can be added to the computer security arsenal. Hell it would not even be a bad back door to your own box. Imagine a remote box and you upgrade ssh...but it fails. You simply portknock and have some odd port with telnet open up. You just saved yourself some money and time of having somebody go and fix the server from the console.

  11. It's all about layers of security by pkiguruman · · Score: 4, Insightful

    If you are using portknocking as your only defense, then you are as smart as dirt and deserve what's coming to you.

    I think it fits in great as a layer of defense.
    Is there an easier way to weed out the attempts from all of those script kiddies and worms to get into certain services on your network?

  12. Re:Secrets are not security by Gaijin42 · · Score: 3, Insightful

    Well, then there is no such thing as security.

    Your 10000000 bit PKI key is just a secret. If you are relying on not giving that secret out to handle your security, then you don't have any. Its just a secret, I guess I am better off not using encryption

    The arrangement of pins in my doorknob is a secret. I guess I am better off not locking my doors.

    The password to log into my workstation is just a secret. I should just leave it open.

    The more "secrets" you have in any given situation, the better secured you are.

    Random portscans where they get all your secrets wrong : could be random noise.

    Random portscans where they get 2/3 of your secrets right : You have probably identified an active intrusion attempt. Also you have identified a possible leak in your secrets. Time to change the passwords.

  13. Responses to assertions that this is insecure by cryptor3 · · Score: 5, Insightful

    A number of people have commented that because the port knocking sequence is transmitted without any form of encryption, port knocking is insecure. I disagree, on the basis that port knocking is not an access control measure, but rather a deterrent measure.

    If you intend for port knocking to stop determined, targeted attacks, then yes, you are sadly mistaken. However, port knocking is effective in making your host less attractive to be hacked.

    I think that an limited analogy is the removable stereo faceplate. Car stereos are a hot target for car thieves. A car thief sweeping a parking lot will not spend time on cars where he does not see the whole stereo (faceplate included).

    By hiding the faceplate, you make yourself less likely to be a victim, even if you just leave the faceplate in your glovebox. If the thief saw where you hid your faceplate, then yes, he could pop it back in and have your stereo in the 30 seconds it takes him to yank it out. But he would have to be watching you. This would be akin to packet sniffing.

    Likewise, someone scanning for a host is looking for evidence of a particular (vulnerable) service. If he doesn't see that service on your PC, he just moves along.

  14. Re:Secrets are not security by Sique · · Score: 3, Insightful

    It looks as if you don't grasp the concept here. No one requires the knocking sequence to be static. Only the knockd as a proof-of-concept implementation uses a static sequence to keep the program simple and point out what Knocking adds to the normal server concepts. Authentifying yourself against a server with a nonstatic sequence is not a new concept in this context, so it was not focussed on during knockd's implementation.

    No one will stop you to implement an adv_knockd which requires the knocking sequence to be the current time in GMT, signed with your private key. Then your adv_knockd checks your signature with your public key and verifies the timestamp.

    This makes your adv_knockd invulnerable against replay attacks, if you declare an sequence already sent to be invalid for the next hour (you have to allow for a grace period in the timestamp, because of network delays and asynchronous clocks, so a replay of an already sent sequence within a few seconds would still come through).

    The knockd is explicitly called a proof-of-concept. Using it directly as part of your security policy is strongly disencouraged :)

    --
    .sig: Sique *sigh*
  15. i've noticed a lot of posts by timmarhy · · Score: 3, Insightful

    bagging secret methods of keeping things secure. well i'm sorry kids but ultimately keeping something secret is necassary for a secure system. what is NOT secure is keeping that secret in an accessable mode. good passwords are the most effective way of having a secret way into a system, since your brain isn't plugged into a computer it's only accessable to the correct person. port knocking sounds intresting, but it's like having a secret knock to let you in a physical door, anyone listening will know that secret knock.

    --
    If you mod me down, I will become more powerful than you can imagine....