Slashdot Mirror

← Back to Stories (view on slashdot.org)

Knock Safely With portknocking_v1.0

Posted by timothy on from the who-is-it-this-time dept.

mrdeathgod writes "The Port Knocking project at SourceForge has just released portknocking_v1.0. Based on my undergrad thesis, this client/server package does not use pre-defined knock sequences, but rather utilizes Blowfish in order to encrypt the client data into a sequence of port numbers. This enables a client with the proper password to remotely manipulate firewall rules without fear of replay attacks. While currently designed for FreeBSD+ipfilter, expanded portability is in the works."

7 of 78 comments (clear)

  1. I'm still not convinced... by dotz · · Score: 4, Interesting
    Even after reading this one.

    A list of one-time passwords & a simple daemon, that verifies them & enables ssh access (in some high level language) at the user request would do as fine. Give such daemon some IQ, so it would make brute-force attacks very hard, and you have the same thing. Except for the "cool" part.

  2. Re:You forget by Curien · · Score: 4, Interesting

    Huh? Without portknocking, you have to have at least /one/ listening service.

    The advantage with portknocking is that if someone was scanning IP ranges for computers running exposed services, you won't show up as a valid target. You'll look like an unused IP or a computer that's off (or one that's simply firewalled every port).

    --
    It's always a long day... 86400 doesn't fit into a short.
  3. three things by Hubert_Shrump · · Score: 3, Interesting
    1. you have a single point of vulnerability in your daemon
    2. for the moderately paranoid, you can just shove all your stuff up into the ephemeral port range - most portscanners don't scan past 6000 unless you tell them to
    3. anyone that didn't think this thread would be mainly about 'kock' hasn't had their coffee. such as myself
    4. there is no item the fourth
    --
    Keep your packets off my GNU/Girlfriend!
  4. Re:You forget by Anonymous Coward · · Score: 1, Interesting

    That explains it for me. I couldn't think of a reason this is useful. It's only advantage over ssh is stealth. Stealth is of little advantage to white hats (please no, security through obscurity arguments). Black hats love stealth. This will be a great techology for open proxies, etc.

  5. Re:You forget by Khazunga · · Score: 2, Interesting
    Just use a datagram service, like UDP instead of TCP. Have your protocol not reply to requests until the authentication is done. Presto! It works, has all the benefits of port knocking, and uses no clever trick.

    This is a solution in search of a problem....

    --
    If at first you don't succeed, skydiving is not for you
  6. Broken Implementation by btg · · Score: 4, Interesting

    Not only is the concept stupid, but I looked at the guy's thesis for five seconds and his crypto is totally broken - there is a trivial known plaintext attack to recover the secret password if you can intercept knocks on the wire. The plaintext is [IP addr][port][action] for 4 + 2 + 1 bytes each. The last byte is pad - which is cunningly hardwired to null.

    The IP address makes up 4 bytes of a 7 byte plaintext (which is already small enough to brute force) and the IP address will be that of the knocking host. Wait, it gets worse! The "action" byte is basically "open" or "close" and the port bytes don't quite use the full 2^16 range. In other words I need to brute force a little less than 17 bits. This is only challenging if I want to make like ET and do it with a reprogrammed Speak N Spell.

    Back to sleep for me until version 5.0.

    1. Re:Broken Implementation by Hektor_Troy · · Score: 2, Interesting

      It's proof of concept, not "here, use this in your ultra secretive secure thing-a-ma-jig".

      I knew a guy who had ten locks on his door. You had to turn the key the same way to lock and unlock. He usually only locked two or three locks, when he left, simply because he figured, that by the time he gets home, a possible burglar still haven't unlocked the door (probaby by locking some of the unlocked locks).

      This is (to me anyway) somewhat the same thing.

      It may not be entirely difficult to figure out, what ports are being used to knock, but as I understand port knocking, there's more to it than just the ports; the timing has to be right as well. And using a one time pad, makes sniffing useless. And just how do you brute force a secret knock?

      Just for kicks, let's say we restrict ourselves to knocking on 4 ports, and we have a range of 128 ports.

      Well, if you can knock on a port more than once, you'll end up with 128^4 (268.435.456) (it could be 4^128 which is MUCH worse). Not too shabby, right?

      This is even ignoring any timing restrictions. If you have to say knock on port 1004 first, wait 3 seconds, knock on port 1100, wait 1 second, knock on 1001, wait 5 seconds, knock on port 1027, HOW would you brute that? Remember, knocking on a wrong port in the sequence will reset your attempt.

      I don't even want to speculate on the numbers in that case.

      --
      We do not live in the 21st century. We live in the 20 second century.