Slashdot Mirror
Knock Safely With portknocking_v1.0
mrdeathgod writes "The Port Knocking project at SourceForge has just released portknocking_v1.0. Based on my undergrad thesis, this client/server package does not use pre-defined knock sequences, but rather utilizes Blowfish in order to encrypt the client data into a sequence of port numbers. This enables a client with the proper password to remotely manipulate firewall rules without fear of replay attacks. While currently designed for FreeBSD+ipfilter, expanded portability is in the works."
i usually use condoms when i want to kock safely ;-P
A list of one-time passwords & a simple daemon, that verifies them & enables ssh access (in some high level language) at the user request would do as fine. Give such daemon some IQ, so it would make brute-force attacks very hard, and you have the same thing. Except for the "cool" part.
That a portscan reveals nothing in the case of port knocking.
And it shows a listening port in the case of the deamon, well, listening, conventionally.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
If you enable portknocking, your computer does not show up in a IP range portscan as a target. To a portscanner, your computer looks like all ports are closed, no way to reach it. It's turned off for all the port scanner knows. So the 5kr1p7 k1dd1ez will not bother you.
I would be stupid, though, if *after* the port knock open some door, you get to open a telnet port for instance, instead of a more secure ssh port.
What the topic *is* about is that now you can have OTPs and other types of non-fixed port knocks. Additionally to the security of not being "seen" by port scans, the port knock sequence changes and is more difficult to brute force.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
It's nothing major. It's just that Michael's "N" key is worn out from "approving" stories:
That explains why it's so hard to get your stories posted. (wink, wink, nudge, nudge)
Overrated / Underrated : Moderation
This isn't an attempt to redefine a problem, this is an attempt to provide a diffrent solution to a known problem. Two sided ssh security negotiation might work great for your application, but it might not be so hot for mine. Diffrent solutions have diffrent strenghts and weaknesses, and the more solutions we have, the better able we are to select one which matches our security needs. Options are a /good/ thing.
And honestly, its a damn good idea with a simple implementation. Because its so simple to implement, there will be more than one portknock server. How would an external attacker know if a broken version of portknock was being used, or if there wasn't even a computer there?
Pay attention to portknock, because you will see it again.
--Cam
All jocks think about is sports. All nerds think about is sex.
Keep your packets off my GNU/Girlfriend!
Anyway, dear /. editors, it's a great way to ruin a story. 90% of posts in this discussion are offtopic, just because you did a typo (for those who plan to mod me down - I did posted a serious comment already, have mercy!).
Why do you need to go to the trouble of hitting a one time sequence of closed ports rather than just knocking with a one time password in a single UDP datagram?
Traditionally, port communications are safeguarded by the application behind the port. This means that if you have 13 network applications, there are 13 possible ways of someone owning your system with a trojan.
On the other hand, portknocking is handled by a single daemon that is simpler than most applications. Portknocking could even be handled by the OS.
This means that instead of having to trust several net-connected programs with your system security, whose primary focus will probably not be safety, you only have to trust 1 program which IS focused on security. Added to that, a portknocking program is easier to make safe because it's simpler than most other programs which have to handle both network defence AND some other task (Instant Messaging).
- -- Truth addict for life.
Sigh... I can't believe I'm actually responding to this troll. Anyways
The code looks like it was designed by some one who just learned C because, well, it was. The code is something called a proof of concept. A proof of concept, for those that are unfamiliar with the idea, is when something is quickly done just to prove that it might work and is feasible. Its usually the first step that leads to larger projects that address concerns like segfaulting.
And NO security measures, short of pulling the plug, is immune to DoS. So ignoring a security messure that is succeptable to an attack that almost all security measures are not immune to is idiotic. Perhaps I should stop using my firewall because my poor 56k modem can get DoSed.
--Cam
All jocks think about is sports. All nerds think about is sex.
Not only is the concept stupid, but I looked at the guy's thesis for five seconds and his crypto is totally broken - there is a trivial known plaintext attack to recover the secret password if you can intercept knocks on the wire. The plaintext is [IP addr][port][action] for 4 + 2 + 1 bytes each. The last byte is pad - which is cunningly hardwired to null.
The IP address makes up 4 bytes of a 7 byte plaintext (which is already small enough to brute force) and the IP address will be that of the knocking host. Wait, it gets worse! The "action" byte is basically "open" or "close" and the port bytes don't quite use the full 2^16 range. In other words I need to brute force a little less than 17 bits. This is only challenging if I want to make like ET and do it with a reprogrammed Speak N Spell.
Back to sleep for me until version 5.0.