Slashdot Mirror

← Back to Stories (view on slashdot.org)

Combining Port Knocking With OS Fingerprinting

Posted by timothy on from the belt-and-suspenders-and-tape-and-elastic dept.

michaelrash writes "Port knocking implementations are on the rise. I have just released fwknop; (the Firewall Knock Operator) at DEF CON 12. Fwknop implements both shared and encrypted knock sequences, but with a twist; it combines knock sequences with passive operating system fingerprints derived from p0f. This makes it possible to allow, say, only Linux systems to connect to your SSH daemon. Fwknop is based entirely around iptables log messages and so does not require a separate packet capture library. Also, at the Black Hat Briefings, David Worth has released a cryptographic port knock implementation based around one-time pads."

6 of 154 comments (clear)

  1. It's kinda cool by Lord+Kano · · Score: 5, Interesting

    but is anyone out there using port knocking for serious security?

    LK

    --
    "Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
    1. Re:It's kinda cool by Lord+Kano · · Score: 5, Insightful

      Not only is it security through obscurity

      Only in the same sense that passwords are security through obscurity.

      Right combination of keystrokes, right combination of ports to knock, these sound very similar to me.

      LK

      --
      "Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
    2. Re:It's kinda cool by Sancho · · Score: 5, Insightful

      It's not.. I almost suspect you of trolling.

      The primary purpose of port knocking is to hide the fact that you have open ports to begin with. You don't want to have those ports unprotected once the right knock sequence is in place. You want both password/challenge AND port knocking so no active scanner detects your open ports.

  2. The more complicated you make it, by Anonymous Coward · · Score: 5, Insightful

    the bigger is the chance of screwing up. The point of port knocking is to have a simple and therefore less bug prone layer around real authentication systems like ssh, so that when a bug in ssh is found, portscanners don't find your vulnerable service. Complicated port knocking systems defeat the purpose of port knocking.

  3. Port knocking and some added ingredients by ThufirHawat · · Score: 5, Interesting

    While port knocking is by now an established technique, I do not think OS fingerprinting adds anything useful, because the ease of static replay attacks is left unchanged by OS fingerprinting.
    Though not that easy, OS spoofing is not remarkably labour intensive, and setting up a "OS generator" who will replay the static attack with every known OS is a distinct possibility.
    In other words, though a nice intellectual possibility, it is perhaps of rather limited application.
    Now, mixing instead knocking and a cryptographic application seems to me instead more promising.

    --
    Thufir Hawat
    Part-time Mentat
  4. Re:How much more is needed? by vranash · · Score: 5, Interesting

    Because the next step is to generate 'fake' OS fingerprints for the client computer, thus insuring not only must someone reply with the right sequence, but also send back the nuances of a specific OS to do so... kinda like recieving a callback to which you must reply in the proper accent before you'll be allowed in :)

    The above is completely conjecture, but it sure does sound cool ;p

    -- vranash