Slashdot Mirror

← Back to Stories (view on slashdot.org)

Combining Port Knocking With OS Fingerprinting

Posted by timothy on from the belt-and-suspenders-and-tape-and-elastic dept.

michaelrash writes "Port knocking implementations are on the rise. I have just released fwknop; (the Firewall Knock Operator) at DEF CON 12. Fwknop implements both shared and encrypted knock sequences, but with a twist; it combines knock sequences with passive operating system fingerprints derived from p0f. This makes it possible to allow, say, only Linux systems to connect to your SSH daemon. Fwknop is based entirely around iptables log messages and so does not require a separate packet capture library. Also, at the Black Hat Briefings, David Worth has released a cryptographic port knock implementation based around one-time pads."

9 of 154 comments (clear)

  1. The more complicated you make it, by Anonymous Coward · · Score: 5, Insightful

    the bigger is the chance of screwing up. The point of port knocking is to have a simple and therefore less bug prone layer around real authentication systems like ssh, so that when a bug in ssh is found, portscanners don't find your vulnerable service. Complicated port knocking systems defeat the purpose of port knocking.

  2. Port knocking, firewalls, DMZs,... by Rosco+P.+Coltrane · · Score: 4, Insightful

    are techniques I've seen appearing for the last 10 years that are designed to compartment sections of the net. They make me sad, because that's definitely not what the net was intended to be, i.e. a global interconected network of machines to freely communicate. Instead, the net is slowly being segregated, and you'll soon have to show some sort of proof of identity to do anything other than HTTP. If you don't believe me, just consider how hard it is to do something as mundane as a DCC CHAT on IRC today, as opposed to, say, in 1994.

    I realize the need for these things, basically forced upon us by the combination of commercial interests, shitty insecure OS, script kiddies and greedy crackers (not hackers), but all the same, I can't help realize that the internet of today is a far cry from what it was intended to be in terms of freedom of communication...

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    1. Re:Port knocking, firewalls, DMZs,... by grasshoppa · · Score: 4, Insightful

      Never under-estimate the power of stupid people in large groups.

      I can't help realize that the internet of today is a far cry from what it was intended to be in terms of freedom of communication

      Um...wasn't the internet born at the department of defense? Awfully nice of them, to make this huge network for freedom of communication.

      Oh, wait, that's not what it was intended for. It was intended to be a network of communication, built to survive outages of several large nodes, in case of a nuclear attack. It's only been as more and more people began romaticising it, that we've come up with this free communications thing.

      While I'm not apposed to it, I am realistic about it. Would you leave your car, complete with keys, parked in a stadium parking lot, with an open door, and a sign stuck on the steering wheel saying, "Please don't take"? That's essentially what you do with your computer when you go online without any sort of protection ( short of the sign, mind you ).

      --
      Mod me down with all of your hatred and your journey towards the dark side will be complete!
    2. Re:Port knocking, firewalls, DMZs,... by enigma48 · · Score: 4, Insightful

      I'm not a history buff but I can't recall anything I've read about ARPAnet being created with the intention of complete access to all connected machines.

      I think the majority of people - geeks included, but not to the exclusion of everyone else - think the internet, on the whole, is performing fairly reasonably. Just like in reality, when you have a small group of people working together, issues of trust are much easier to deal with compared to working with hundreds of millions of people.

      Blaming "commercial interests, shitty insecure OS, ..." are symptoms of having a ton of people connected. Assuming the internet would be perfect if those bad people didn't exist, there'd be a new group people didn't like: spammers, NET SENDers, etc. Once they are gone, we'd be left with people that use software we don't like, or people from a country we don't like.

      Soon enough, the Internet would be compartmentalized exactly the way you fear - into groups of like-minded people instead.

      The Internet isn't supposed to be utopia. It was about making resources easier to access and it does that job amazingly well, given the imperfect people using it.

  3. Security Through Obscurity by gst · · Score: 4, Insightful

    Not more - not less. All that portknocking does is shifting the security to a layer where it doesn't belong.

    And even if you don't want others to see that there are services running on your host there are better solutions. e.g. sending a special string to some UDP port.

    If someone can sniff your traffic and he knows about portknocking it's trivial for him to detect it. If someone can't sniff your traffic there's no advantage in using portknocking.

    1. Re:Security Through Obscurity by RC515 · · Score: 4, Insightful

      Port knocking has one specific and reasonable purpose: It hides open ports from port scanners. Yes, it's security by obscurity, but as it's supposed to be another layer, it can increase security if, and only if it's simple enough that there is a near-zero chance of introducing new exploitable bugs into the system. Passive monitoring is not necessarily unexploitable. There are bugs in packet capture tools. There will be exploitable bugs in complicated port knocking daemons. Keep port knocking simple and it can be a valuable security enhancement. Make it complicated and it becomes another thing that can break.

      Port knocking buys you the time between a new ssh exploit and the fix. It significantly reduces the chance of being found by portscanners and therefore of being hacked. You still have to fix ssh though.

  4. Re:It's kinda cool by Lord+Kano · · Score: 5, Insightful

    Not only is it security through obscurity

    Only in the same sense that passwords are security through obscurity.

    Right combination of keystrokes, right combination of ports to knock, these sound very similar to me.

    LK

    --
    "Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
  5. Re:It's kinda cool by Sancho · · Score: 5, Insightful

    It's not.. I almost suspect you of trolling.

    The primary purpose of port knocking is to hide the fact that you have open ports to begin with. You don't want to have those ports unprotected once the right knock sequence is in place. You want both password/challenge AND port knocking so no active scanner detects your open ports.

  6. Re:It's kinda cool by eric76 · · Score: 4, Insightful

    There is absolutely nothing wrong with using something a bit obscure to help fend off attacks.

    The only time that "security through obscurity" is wrong is if that is your entire approach to security.

    Even if you have the latest and greatest copy of the most secure software written to perform some service, there is always a possibility that there is something exploitable that is yet unknown.

    Port knocking is an excellent way to greatly reduce the probability that someone will be able to use a newly discovered exploit from using it against your server before an update is available to fix the exploit.

    Of course, if someone is in the right place and can monitor the network traffic from another computer somewhere along the path, they can discover the port knocking sequence. For that reason, you still need your normal security and you still need to keep the patches up to date.

    But the result will still be a vastly improved possibility of avoiding an attack when a vulnerability is found.