Port Knocking in Action

tyldis writes "There was something called "port knocking" mentioned on Slashdot earlier, and now an implementation has sprung to life. Is this something worth pursuing?" The page is to an application called knockd which is a simple proof of concept with hard coded knock sequences. Really interesting stuff.

Re:More secure than people think

[evilviper]

Bloddy hell!

Yeah, that's just wonderful. We'll just leave a port open, add secure crypto to the mix, just to determine a secquence of ports to hit, that then open up the regular ports.

<SARCASM>
That's just so much better than logging-in via SSH and forwarding whatever ports you need... Oh yeah, so much of an improvement.

Sorry guy, this who idea is just riddled with bad ideas, and provides nothing useful for them.

And you know something, with SSH port forwarding, I'm not screwed if I'm behind a firewall that blocks a port or two. Good luck when you're on some consumer-level ISP connection, and your port knocking sequence requires you to hit port 25, 139, 443, etc. With SSH, you only need one port open (22), and the rest go over that connection. It's already more cryptographically secure than any port-knocking system you could come up with, and far more flexible.

Did I mention that SSH isn't particularly vulnerable to DoS attacks.?

And if you don't want to have all your connections going over the SSH connection, you could go with PF-Auth, which can modify the firewall rules on the fly based upon your SSH session.

Nope, this whole port knocking idea is just nonsense.