Slashdot Mirror
Knock Safely With portknocking_v1.0
mrdeathgod writes "The Port Knocking project at SourceForge has just released portknocking_v1.0. Based on my undergrad thesis, this client/server package does not use pre-defined knock sequences, but rather utilizes Blowfish in order to encrypt the client data into a sequence of port numbers. This enables a client with the proper password to remotely manipulate firewall rules without fear of replay attacks. While currently designed for FreeBSD+ipfilter, expanded portability is in the works."
GNAUK (the UK branch of the GNAA) consultant rolloffle stood ecstatically in front of the massive GNAUK London office skyscraper. Waving his massive nigger hands for silence, he smiled and announced with glee that the GNAA was the cause of the 3000 blogs outage.
"Well, aw'right, now aw'right! It's due to our persistent shitflooding and blogbashing efforts that we can claim this spectacular victory over a major epicentre of retardery! Congratulations, morons, for you have been pwned! Remember, regular local backups are your friend!"
Having concluded with these statements, the crowd burst into an ambivalent mix of outraged and delighted argument. rolloffle then unzipped his trousers and started to beat back the hordes of angry webloggers and journalists with his gigantic nigger cock, fleeing into a side alley. The massive conglomeration of people then enjoyed a spectacular fireworks display, sending the massive office building of glass and steel smashing to the ground and burying the suckers present.
About GNAA:
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which
gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.
Are you GAY ?
Are you a NIGGER ?
Are you a GAY NIGGER ?
If you answered "Yes" to all of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!
Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member.
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America. You, too, can be a part of GNAA if you join today!
Why not? It's quick and easy - only 3 simple steps!
First, you have to obtain a copy of GAY NIGGERS FROM OUTER SPACE THE MOVIE and watch it. (You can download the movie (~280mb) using BitTorrent, by clicking here.
Second, you need to succeed in posting a GNAA "first post" on slashdot.org, a popular "news for trolls" website
Third, you need to join the official GNAA irc channel #GNAA on irc.gnaa.us, and apply for membership.
.________________________________________________. fucking
Talk to one of the ops or any of the other members in the channel to sign up today!
If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is Niggernet, and you can connect to irc.gnaa.us as our official server. If you do not have an IRC client handy, you are free to use the GNAA Java IRC client by clicking here.
If you have mod points and would like to support GNAA, please moderate this post up.
| ______________________________________._a,____ | CmdrTaco
| _______a_._______a_______aj#0s_____aWY!400.___ | will
| __ad#7!!*P____a.d#0a____#!-_#0i___.#!__W#0#___ | he ever learn that
| _j#'_.00#,___4#dP_"#,__j#,__0#Wi___*00P!_"#L,_ | GNAA is totally
| _"#ga#9!01___"#01__40,_"4Lj#!_4#g_________"01_ | unstoppable? Teamed
| ________"#,___*@`__-N#____`___-!^_____________ | up with the other troll groups,
| _________#1__________?________________________ | GNAA will absolutely own
| _________j1___________________________________ | the shitty place that i
should be knock safely. Not the trollish "kock safely..."
OH FUX BYE BYE KARMA
Trolling while logged in is what it's all about brotha'. If you can get CmDrTaco to revoke your account, you da man!
i usually use condoms when i want to kock safely ;-P
Right, I even went and looked up 'Kock' and this is what I got 'No entry found for kock.'
Slashdot: Tabloid for the nerds. Stuff that doesn't matter.
If your gonna let your port get kocked, do it safely.
"Kock safely?"
My
Limekiller
Admonishing us for not using the preview button or a spell checker?! :D
:P
"Well. I guess I'll have to see your 'dupe on the same day' and I raise you... a glaring spelling mistake in a title."
At least the editors can edit their entries.
Karma? What's that again?
_Kock Safely With portknocking_v1.0_
Posted by timothy on Fri Jun 18, '04 01:57 AM
from the who-is-it-this-time dept.
mrdeathgod writes "The Port Knocking project at SourceForge has just released portknocking_v1.0. Based on my undergrad thesis, this client/server package does not use pre-defined knock sequences, but rather utilizes Blowfish in order to encrypt the client data into a sequence of port numbers. This enables a client with the proper password to remotely manipulate firewall rules without fear of replay attacks. While currently designed for FreeBSD+ipfilter, expanded portability is in the works."
A list of one-time passwords & a simple daemon, that verifies them & enables ssh access (in some high level language) at the user request would do as fine. Give such daemon some IQ, so it would make brute-force attacks very hard, and you have the same thing. Except for the "cool" part.
Freudian slip, much?
One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Sys Admin comprehensive networking test.
You don't need to be a Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood.
FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.
Let's keep to the facts and look at the numbers.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.
Fact: *BSD is dying
(Score:0, Offtopic)
WTF?
the topic is:
"Kock Safely With portknocking_v1.0"
It's not my fault the topic is offtopic..
-metric
That a portscan reveals nothing in the case of port knocking.
And it shows a listening port in the case of the deamon, well, listening, conventionally.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
Now is your chance to really know me. I'm going to let you in on my personal life, and the secret of how Timothy, Rob, Jeff, and I all "came" together.
I remember that autumn day so well. It was in our dorm room at Hope College, in Holland, Michigan. Timothy stood there by the bathroom sink, totally naked and shaving his face. He didn't recoil when I went into the bathroom which we also shared with Rob and Jeff--the guys next door.
Timothy and I had been roommates for almost three months now and gotten used to seeing each other strip down, dress, and even "hard".
"Hey, Michael" he said.
I had gotten the chance to look Timothy over a few times. But for some reason that evening I just stood there looking at his scraggly unkempt hair, his bare back, his flabby back muscles flowing down into the lumpy mounds of cellulite which composed his saggy buttocks and thick thighs.
Despite his flab, the sexy swastika tattoo on Timothy's right butt cheek gave him an air of hunky manliness.
"Oh I'm sorry, Timothy" I said without him saying anything despite the fact I had been standing there looking at him.
"I was just ..." he turned and smiled through the shaving cream. "it's OK ... I look at you too, Michael" he said.
I didn't know what to say then. I just moved next to him at the sink and stripped off my shirt to wash.
"Got a hot night tonight, Michael?" he asked.
"Naw just thought I'd go for a swim and pizza later. How 'bout you, Timothy?"
"You keep swimming, Michael, and that hot ass of yours will be the talk of the dorm" he said as he patted my butt. He left his hand there and stroked one ass-cheek a bit.
"You keep doing that and you won't be going anywhere, Timothy" I said half joking. My cock had already began to turn my boxer shorts into a small tent.
He didn't move his hand at all. In fact his fingers moved under the boxers and he stroked bare skin.
Timothy said, "Shit, Michael, I'm getting you hard".
"Yea you get it too hard and you'll have to find a way to get it down again" I said spreading the shaving cream on my face.
His fingers moved between my ass-cheeks and stroked. It felt good ... and then he suddenly stopped.
"Can't now ... maybe when I get back. Will you still
be up then, Mikey?"
His hand had moved to my tented crotch and he gently felt my boner when he asked.
"Not if you keep doing that, Timothy"
We joked around like that often of course. But that evening his attention was more then the usual goosing or ass grabbing.
I swam hard laps so my effort and the water would make my cock shrink. But my head was full of the memories of his petting as well as his naked body.
I knew that after my pizza and maybe a beer, I'd be in my bed jacking off as many times as I could before he got back to the room.
I was mid-way through my second go round when the door opened. He looked at me and smiled.
"I hoped you'd be waiting, Michael" he said as he stripped off his shirt and jeans. We didn't speak. Timothy moved to my bed and pulled my covers off.
Timothy pushed my hands over my head and to the bed pipe. I held them as he lifted my legs and curled my body over so his fingers, lips and tongue could take total control of my body.
I closed my eyes and swooned as the sensations I had only fantasized about made me shiver and shake. Timothy's fingers stroked the lips of my ass then moved inside to find my prostate and stroked that bringing me to the point of orgasm. The sperm splattered on my face, chest, and stomach.
But he wasn't through and his cock moved into my ass before it could recover and close tight after the orgasm. It hurt and made me beg him to stop. "Shut up Michael. Y
KOCK safely!!! Bwahahaha, I=funny. Because KOCK looks like COCK and that's funny! You get it, right? Get it????!!! They wrote KOCK when they meant KNOCK, and KOCK looks like COCK, as in a FLAMING PENIS OF DOOM, so it's really funny and we should all be giggling like little boys.
KOCK=funny.
The record is clear on one thing: no operating system has ever come back from the grave. Efforts to resuscitate *BSD are one step away from spiritualists wishing to communicate with the dead. As the situation grows more desperate for the adherents of this doomed OS, the sorrow takes hold. An unremitting gloom hangs like a death shroud over a once hopeful *BSD community. The hope is gone; a mournful nostalgia has settled in. Now is the end time for *BSD.
i had fun modding down the rest of your comments. thanks troll.
If you enable portknocking, your computer does not show up in a IP range portscan as a target. To a portscanner, your computer looks like all ports are closed, no way to reach it. It's turned off for all the port scanner knows. So the 5kr1p7 k1dd1ez will not bother you.
I would be stupid, though, if *after* the port knock open some door, you get to open a telnet port for instance, instead of a more secure ssh port.
What the topic *is* about is that now you can have OTPs and other types of non-fixed port knocks. Additionally to the security of not being "seen" by port scans, the port knock sequence changes and is more difficult to brute force.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
*bing* *bong* Captain Obvious to aisle 5 ..... Paging Captain Obvious...
This does nothing more than redefine an existing problem. It's still a communication channel between two participants, whether the bits are conveyed inside the IP packets, or as attributes of the IP header.
The "genius" of this approach seems to lie in the fact that the closed machine makes no response whatsoever until a valid doorknock sequence is received, which renders the system more clandistine from a very narrow point of view.
One of the reasons why ssh security negotiation is two sided is to eliminate replay attacks. The doorknock concept is going to have a problem with this.
I find it interesting to imagine that the doorknock sequence is defined as a function of the IP address of the requesting system. This would eliminate a replay attack by an adversary who can snoop traffic, originate traffic under its own identity, but not actively impersonate.
It's nothing major. It's just that Michael's "N" key is worn out from "approving" stories:
That explains why it's so hard to get your stories posted. (wink, wink, nudge, nudge)
Overrated / Underrated : Moderation
Cake is funny. Muffin? Not funny.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Keep your packets off my GNU/Girlfriend!
... only if I had mod points :)
Anyway, dear /. editors, it's a great way to ruin a story. 90% of posts in this discussion are offtopic, just because you did a typo (for those who plan to mod me down - I did posted a serious comment already, have mercy!).
when the ports are a-kockin....
Why do you need to go to the trouble of hitting a one time sequence of closed ports rather than just knocking with a one time password in a single UDP datagram?
Traditionally, port communications are safeguarded by the application behind the port. This means that if you have 13 network applications, there are 13 possible ways of someone owning your system with a trojan.
On the other hand, portknocking is handled by a single daemon that is simpler than most applications. Portknocking could even be handled by the OS.
This means that instead of having to trust several net-connected programs with your system security, whose primary focus will probably not be safety, you only have to trust 1 program which IS focused on security. Added to that, a portknocking program is easier to make safe because it's simpler than most other programs which have to handle both network defence AND some other task (Instant Messaging).
- -- Truth addict for life.
"It's dead, Jim."
Except this one was posted by timothy.
Nice. Reference. To. The. Film: the Sunshine Boys
I have implemented such a system and am presenting on the subject of Cryptographic Port Knocking @ BlackHat this year!
Check out the abstract @ http://www.hexi-dump.org/bytes.html
[ed. note: in the following text, former FreeBSD developer Mike Smith gives his reasons for abandoning FreeBSD]
When I stood for election to the FreeBSD core team nearly two years ago, many of you will recall that it was after a long series of debates during which I maintained that too much organisation, too many rules and too much formality would be a bad thing for the project.
Today, as I read the latest discussions on the future of the FreeBSD project, I see the same problem; a few new faces and many of the old going over the same tired arguments and suggesting variations on the same worthless schemes. Frankly I'm sick of it.
FreeBSD used to be fun. It used to be about doing things the right way. It used to be something that you could sink your teeth into when the mundane chores of programming for a living got you down. It was something cool and exciting; a way to spend your spare time on an endeavour you loved that was at the same time wholesome and worthwhile.
It's not anymore. It's about bylaws and committees and reports and milestones, telling others what to do and doing what you're told. It's about who can rant the longest or shout the loudest or mislead the most people into a bloc in order to legitimise doing what they think is best. Individuals notwithstanding, the project as a whole has lost track of where it's going, and has instead become obsessed with process and mechanics.
So I'm leaving core. I don't want to feel like I should be "doing something" about a project that has lost interest in having something done for it. I don't have the energy to fight what has clearly become a losing battle; I have a life to live and a job to keep, and I won't achieve any of the goals I personally consider worthwhile if I remain obligated to care for the project.
Discussion
I'm sure that I've offended some people already; I'm sure that by the time I'm done here, I'll have offended more. If you feel a need to play to the crowd in your replies rather than make a sincere effort to address the problems I'm discussing here, please do us the courtesy of playing your politics openly.
From a technical perspective, the project faces a set of challenges that significantly outstrips our ability to deliver. Some of the resources that we need to address these challenges are tied up in the fruitless metadiscussions that have raged since we made the mistake of electing officers. Others have left in disgust, or been driven out by the culture of abuse and distraction that has grown up since then. More may well remain available to recruitment, but while the project is busy infighting our chances for successful outreach are sorely diminished.
There's no simple solution to this. For the project to move forward, one or the other of the warring philosophies must win out; either the project returns to its laid-back roots and gets on with the work, or it transforms into a super-organised engineering project and executes a brilliant plan to deliver what, ultimately, we all know we want.
Whatever path is chosen, whatever balance is struck, the choosing and the striking are the important parts. The current indecision and endless conflict are incompatible with any sort of progress.
Trying to dissect the above is far beyond the scope of any parting shot, no matter how distended. All I can really ask of you all is to let go of the minutiae for a moment and take a look at the big picture. What is the ultimate goal here? How can we get there with as little overhead as possible? How would you like to be treated by your fellow travellers?
Shouts
To the Slashdot "BSD is dying" crowd - big deal. Death is part of the cycle; take a look at your soft, pallid bodies and consider that right this very moment, parts of you are dying. See? It's not so bad.
To the bulk of the FreeBSD committerbase and the developer community at large - keep your eyes on the real goals. It
but as fun as modding you down was, i had far more fun fellating rob maldas penis last night. slurp slurp
What do you mean "rob maldas penis"? I thought Kathleen was the sausage slapper in that household.
Also, it seems that an ordinary portscan would add 32 random firewall rules, that would never be cleaned up.
I'm not even going to mention that an MD5 hash is used to determine if the original file has changed.
I don't know about all this port knocking. The other day, my valves were knocking, and that concerned me quite a bit, as I just recently finished a head job, and the knocking tells me that I didn't adjust the valves correctly. The last thing I need now is my ports knocking too... that would totally ruin the engine. You can't find Stage-1 455's in this condition anymore.
Not only is the concept stupid, but I looked at the guy's thesis for five seconds and his crypto is totally broken - there is a trivial known plaintext attack to recover the secret password if you can intercept knocks on the wire. The plaintext is [IP addr][port][action] for 4 + 2 + 1 bytes each. The last byte is pad - which is cunningly hardwired to null.
The IP address makes up 4 bytes of a 7 byte plaintext (which is already small enough to brute force) and the IP address will be that of the knocking host. Wait, it gets worse! The "action" byte is basically "open" or "close" and the port bytes don't quite use the full 2^16 range. In other words I need to brute force a little less than 17 bits. This is only challenging if I want to make like ET and do it with a reprogrammed Speak N Spell.
Back to sleep for me until version 5.0.
Okay, so we have portknocking, but do we have clients that can utilize it?
Let's say I want to access machine X's ssh daemon, which utilizes portknocking, is there any ssh client today that can access it?
Anyhow, I'm gonna name my firewall "Heavens door" when this works.
Butthead: you portknocker! Beavis: he he hehehe Butthead: uhhh huh haha Beavis: he he.... you said knocker Butthead: uhhhh huh ha ha huh Beavis: he hehe he
no that's hemos
Can't find the strip... "Kafka is twice as funny to neoclassical existentialists. But rape is funny and I don't hear a k. The implication is you can FEEL the k."
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON