Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
port knocking
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
iplayfast
l33t
l33t


Joined: 08 Jul 2002
Posts: 642
Location: Cambridge On,CA

PostPosted: Fri Feb 06, 2004 7:47 pm    Post subject: port knocking Reply with quote

Slashdot recently had an artical about the use of port knocking to aid security. Basically it uses a series of closed port connection attempts to open a secure port which would not normally be open. http://www.linuxjournal.com/article.php?sid=6811&mode=thread&order=0 and www.portknocking.org have articals about it.

My question is, has anyone using Gentoo actually tried this, and are there any opinions as to how effective it is. It sounds good to me, but experience is often a better indicator.

If you have used it, how did you set it up? Any special tricks/conditions?
Back to top
View user's profile Send private message
Immortal Q
Apprentice
Apprentice


Joined: 14 Sep 2003
Posts: 241
Location: Silicone Valley

PostPosted: Fri Feb 06, 2004 8:43 pm    Post subject: Reply with quote

I would love to try it - perhaps somebody with some free time could write a nice daemon? Something I could tie shell scripts to? I don't have enough programming/scripting experience to do it myself (yet) but I would be hapy to debug and experiment with someone else's attempts.
_________________
Osmos.org
Now with 20% fewer rabid primates.
Back to top
View user's profile Send private message
triwebb1
Tux's lil' helper
Tux's lil' helper


Joined: 19 Oct 2003
Posts: 87

PostPosted: Sat Feb 07, 2004 6:58 am    Post subject: Reply with quote

There is a set of Perl scripts on portknocking.org. Click on "download" on the left side of the screen and the on the link to download. I would give it a shot, but I really don't have any use for it. I do like the concept though.
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums

PostPosted: Wed Aug 18, 2004 1:26 pm    Post subject: Reply with quote

sounds like a good idea. i see one downside though: one must use his own custom config file. but there are so many possibilities of creating a port knocking sequence it would really slow down an attack
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
iplayfast
l33t
l33t


Joined: 08 Jul 2002
Posts: 642
Location: Cambridge On,CA

PostPosted: Wed Aug 18, 2004 3:21 pm    Post subject: Reply with quote

I recently read an artical that explained that port knocking (which is accessing a sequence of open or closed ports in a predetermined order to open a closed port) is a system which relies on security through obsecurtity. If all computers used portknocking then the chances of a hacker trying to hack using portknocking goes up, since it is the expected method of security. Assuming this portknocking ends up being just a method of password, with the same security problems that normal passwords have.

I can see this, but I can also see an interesting solution.
You leave the port open that specifies the date and time. You ask the "secure" computer for the time, and round to the nearest 5 minutes. Take this time as an integer and feed that through an CRC type algorithm along with a machines password. Use the resulting number as a seed to a random number generator, access the ports specified be the first N digits returned by the random number generator modified by an xor of the machines password on each digit.

This method is like having two passwords, the first is the machines password, the second is derived by the datetime run through the CRC algothm. As the datetime is always changing, the password is always changing as well.


Any thoughts?
Back to top
View user's profile Send private message
nielchiano
Veteran
Veteran


Joined: 11 Nov 2003
Posts: 1283
Location: 50N 3E

PostPosted: Mon Aug 23, 2004 9:38 am    Post subject: Reply with quote

iplayfast wrote:
I recently read an artical that explained that port knocking (which is accessing a sequence of open or closed ports in a predetermined order to open a closed port) is a system which relies on security through obsecurtity. If all computers used portknocking then the chances of a hacker trying to hack using portknocking goes up, since it is the expected method of security. Assuming this portknocking ends up being just a method of password, with the same security problems that normal passwords have.

True, but with one difference: There is now way a hacker can know what is going on... a portscan won't return anything, since a good knocking-daemon should detect those and don't do a thing (hopefully noone will be stupid enough to take sequence 18,19,20,21 to open 22)
So in order to just SEE what the machine is running, he has to try ALL ports (65535 posibilities) with ALL knocking sequences (say exactly 2 knocks, that gives 4294836225 posibilities PER PORT = 281462092005375)
And this with a reasonable time in between.
If the daemon says, eg: if more than 4 packets are received per second that do not form a sequence, ignore for 5 minutes; the atacker can only try 2 posibilities per second: which would take a little more than 4462552 years)

So, yes, it's like a password, but one typed on a keyboard with 65535 keys on it, arbitry length and limited type speed...
Sure you can brute force it, but you'll better start to think about children and grand-grand-grand childeren ;-)

for reference:
a 1 knock:
  • better than a 'letters-only' password of length 3
  • better than a 'lEttErS-WitH-CaPS' password of length 2
  • better than a 'l3ttErs-W1th-d1GitS' password of length 2

a 2 knock:
  • better than a 'letters-only' password of length 10
  • better than a 'lEttErS-WitH-CaPS' password of length 8
  • better than a 'l3ttErs-W1th-d1GitS' password of length 8

a 20-char-'l3ttErs-W1th-d1GitS' password is better than 7-knock sequence

PS: THE ABOVE CALCULATIONS ARE MADE UNDER THE ASUMTION THAT PASSWORDS/SEQUENCES ARE RANDOM; brute-forcing is trying every possible combination; and the right one might as well be the first one they try
Back to top
View user's profile Send private message
kalisphoenix
Apprentice
Apprentice


Joined: 28 Sep 2003
Posts: 211
Location: Ohio

PostPosted: Tue Aug 24, 2004 1:27 am    Post subject: Reply with quote

I've developed a recent interest too after worms decided to check how much of a dork I was (ie, checking for usernames with matching passwords, heh).

iplayfast, I dig your idea.
Back to top
View user's profile Send private message
iplayfast
l33t
l33t


Joined: 08 Jul 2002
Posts: 642
Location: Cambridge On,CA

PostPosted: Tue Aug 24, 2004 3:50 am    Post subject: Reply with quote

nielchiano You are right. (With one minor correction). You can't use all 65535 ports in port knocking since you might actually want some of those for other reasons.

But your explanation certainly made sense to me.

I am in no way a security expert. So I leave that to others who have much more experience then I.
Back to top
View user's profile Send private message
nielchiano
Veteran
Veteran


Joined: 11 Nov 2003
Posts: 1283
Location: 50N 3E

PostPosted: Tue Aug 24, 2004 5:54 pm    Post subject: Reply with quote

iplayfast wrote:
nielchiano You are right.

of course i am ;-) :P :lol:
iplayfast wrote:
(With one minor correction). You can't use all 65535 ports in port knocking since you might actually want some of those for other reasons.

Partialy true, there is absolutely no reason why you can't "knock" on an open port; sure the service will respond, but the knocking-daemon will see your "knock"

But you're right that knocking on an open port isn't ideal... but it's possible
Back to top
View user's profile Send private message
pianosaurus
l33t
l33t


Joined: 19 Apr 2004
Posts: 943
Location: Bash$

PostPosted: Sun Aug 29, 2004 5:05 pm    Post subject: Reply with quote

nielchiano wrote:
Partialy true, there is absolutely no reason why you can't "knock" on an open port; sure the service will respond, but the knocking-daemon will see your "knock"

But you're right that knocking on an open port isn't ideal... but it's possible


It's not ideal, but that actually makes the idea even better (assuming that it isn't a problem for the service on the open port). An intruder would be right more often than not when assuming that an open port is not used for knocking.

I'm going to implement this on my server right now. I also thougt I'd add a ping to the knock sequence (that will be answered). This ping will have to be padded with a preset amount of bytes, and my script will check the size of the packet.

Also, I will not log it to a file to have a script tail it. Instead, I'm going to tell syslog-ng to forward those firewall logs directly to a script.

Any thoughts on this?
_________________
PKA Cuber
Please add [SOLVED] to the subject of your original post when you feel that your problem is resolved.
Adopt an unanswered post


Last edited by pianosaurus on Mon Aug 30, 2004 12:12 am; edited 1 time in total
Back to top
View user's profile Send private message
nielchiano
Veteran
Veteran


Joined: 11 Nov 2003
Posts: 1283
Location: 50N 3E

PostPosted: Sun Aug 29, 2004 6:00 pm    Post subject: Reply with quote

PingPong wrote:
Any thoughts on this?

yes: send it to me when it's (almost) done!
looks good
Back to top
View user's profile Send private message
pianosaurus
l33t
l33t


Joined: 19 Apr 2004
Posts: 943
Location: Bash$

PostPosted: Sun Aug 29, 2004 11:15 pm    Post subject: Reply with quote

nielchiano wrote:
PingPong wrote:
Any thoughts on this?

yes: send it to me when it's (almost) done!
looks good


Will do :)
_________________
PKA Cuber
Please add [SOLVED] to the subject of your original post when you feel that your problem is resolved.
Adopt an unanswered post
Back to top
View user's profile Send private message
pianosaurus
l33t
l33t


Joined: 19 Apr 2004
Posts: 943
Location: Bash$

PostPosted: Mon Aug 30, 2004 12:27 am    Post subject: Reply with quote

PingPong wrote:
Will do :)


I take that back. There's not much point. This seems to do pretty much what I had in mind.

I think I'm going to make something that enables me to open a port simply by using the ping command. This would enable my server users to open ports from windows too, by generating packets of a certain size in a certain sequence (that might change with the time/date) without the need for a special client.

That happens tomorrow. Now I'll need some sleep. I'll post my results.
_________________
PKA Cuber
Please add [SOLVED] to the subject of your original post when you feel that your problem is resolved.
Adopt an unanswered post
Back to top
View user's profile Send private message
steelrat
n00b
n00b


Joined: 12 Feb 2004
Posts: 9
Location: under the raised floor

PostPosted: Mon Aug 30, 2004 6:33 pm    Post subject: ping based portknocking? Reply with quote

no offence, but it sounds like you're missing the point.

besides, most popular scanning methods start with an icmp echo to check to see if the host is up.

looks like at the end of the day you have a coupld interesting options:
cryptknock which uses an encrypted knock to make the knock invulnerable to replay attacks.

or

doorman which is the more usual type of portknocker and even has windows clients.

..or go to portknocking.org and gram some perl.

please do have an idea of why you want to do portknocking though 8)
Back to top
View user's profile Send private message
Valhlalla
Apprentice
Apprentice


Joined: 22 Sep 2003
Posts: 161
Location: Sydney, Australia.

PostPosted: Tue Aug 31, 2004 2:05 am    Post subject: Reply with quote

This is a good idea, I would also stress the part that you can add all sorts of common attack atempts to a list of banned ip's. This makes the brute force approach very unapealing.

[edit] particualrly because you wont know at what point you have been locked out and for how long. so you might say try port 1,2,3,4 that locks you out. then you try 2,4,3,1 say that is the correct knock, but you still have to try that again 1 hour later for it to open a port. very unlikley.
_________________
Pork Chop Sandwiches, Oh Sh*t!
Back to top
View user's profile Send private message
pianosaurus
l33t
l33t


Joined: 19 Apr 2004
Posts: 943
Location: Bash$

PostPosted: Tue Aug 31, 2004 4:21 pm    Post subject: Re: ping based portknocking? Reply with quote

steelrat wrote:
no offence, but it sounds like you're missing the point.


My point is certainly different from ordinary portknocking, but if everyone needs a client to portknock, it's useless on systems that needs to be accessed from a random computer in the field (which is what I need).

steelrat wrote:
besides, most popular scanning methods start with an icmp echo to check to see if the host is up.


Yes. I'm sure they ping you with a sequence of differently sized packages too, just in case it matters, right? Wrong.

Of course I rely on the assumption that an intruder wouldn't know I used this technique. But I also think that would be a pretty safe assumption.
_________________
PKA Cuber
Please add [SOLVED] to the subject of your original post when you feel that your problem is resolved.
Adopt an unanswered post
Back to top
View user's profile Send private message
nyteryda
Guru
Guru


Joined: 26 Jul 2003
Posts: 337
Location: London

PostPosted: Fri Sep 10, 2004 1:52 pm    Post subject: Reply with quote

you have to be carefull with your (and the daemons) code though or you will end up createing a good way for a DoS attack because you will be processing more heavly on portscans.

Also a buffer overflow would be hillarious as people could be able to break into a system with no open ports... (but that would just be stupid)
_________________
Code:
#include "forums.h"
     int main() {while (bollox) postcount++;}
Back to top
View user's profile Send private message
pianosaurus
l33t
l33t


Joined: 19 Apr 2004
Posts: 943
Location: Bash$

PostPosted: Fri Sep 10, 2004 4:41 pm    Post subject: Reply with quote

nyteryda wrote:
you have to be carefull with your (and the daemons) code though or you will end up createing a good way for a DoS attack because you will be processing more heavly on portscans.

Also a buffer overflow would be hillarious as people could be able to break into a system with no open ports... (but that would just be stupid)


Good point. The iptables helps out there. Limit the log-chain to a few packets every second. You might lose some information, but it's better than getting DoS attacks.
_________________
PKA Cuber
Please add [SOLVED] to the subject of your original post when you feel that your problem is resolved.
Adopt an unanswered post
Back to top
View user's profile Send private message
groovin
Guru
Guru


Joined: 07 Feb 2004
Posts: 429
Location: California, USA

PostPosted: Fri Sep 10, 2004 8:20 pm    Post subject: Reply with quote

security through obscurity....

i guess you can say that... but to me, security through obscurity really means that you are trying to mask your vulnerabilities by simply not telling anyone about it (ie MS' past handlings of bugs). if i am running a service say ssh, that is patched and secure against all known exploits and i decide to use portknocking, i think thats just adding another layer of security, not necesarily sec through obsc. but yes, the line that is drawn is thin. now if i just used port knocking because it is easier than patching, thatd be a different story.

PingPong,

couldnt you just whip up your own client on the fly? AFAIK, the knockd listens and when it hears the right sequence, it executes some command, like creating a firewall pass rule. so, say you were on a windows computer, couldnt you just write up a quick .bat file that used telnet to send the packets? like...

c:\>telnet
> open 1.2.3.4 444
> open 1.2.3.4 12324

and so on. i havent tried this so im not sure if itd work.
Back to top
View user's profile Send private message
pianosaurus
l33t
l33t


Joined: 19 Apr 2004
Posts: 943
Location: Bash$

PostPosted: Mon Sep 13, 2004 2:21 pm    Post subject: Reply with quote

groovin wrote:
PingPong,

couldnt you just whip up your own client on the fly? AFAIK, the knockd listens and when it hears the right sequence, it executes some command, like creating a firewall pass rule. so, say you were on a windows computer, couldnt you just write up a quick .bat file that used telnet to send the packets? like...

c:\>telnet
> open 1.2.3.4 444
> open 1.2.3.4 12324

and so on. i havent tried this so im not sure if itd work.


I was thinking of this, but is telnet really a part of any windows installation? If it is, then yes. If not, I was going to do the same thing you suggested with pinging. You can set the packet size in the ping command, and it would have the same effect as portknocking (listening for a sequence of packet sizes). But I'd prefer knocking on ports. Can you (or anyone) confirm that telnet is built in to windows? If so, what versions?

I guess you could do this with any ssh client, but it would be hard to batch it with putty (i think that is what my clients use).
_________________
PKA Cuber
Please add [SOLVED] to the subject of your original post when you feel that your problem is resolved.
Adopt an unanswered post
Back to top
View user's profile Send private message
groovin
Guru
Guru


Joined: 07 Feb 2004
Posts: 429
Location: California, USA

PostPosted: Mon Sep 13, 2004 3:48 pm    Post subject: Reply with quote

every default install of windows i have done has had telnet in it. I just tried 2 XP machines, 2 win2k, and one NT and they all had telnet. so i guess the admin removes it from the install him/herself, a default windows install should have it.
Back to top
View user's profile Send private message
OdinsDream
Veteran
Veteran


Joined: 01 Jun 2002
Posts: 1057

PostPosted: Mon Sep 13, 2004 3:57 pm    Post subject: Reply with quote

I fail to understand why anyone claims portknocking to be an example of "security through obscurity." What I gather thus far is people notice this fantastically simple, genuinely unique and useful idea, and want to find a flaw in it. This is the best they come up with. It is not "obscurity."

Imagine a wall of 6,000 red unlit buttons evenly spaced. They open a door, if you press the right ones in the right order, but if you mess up during the sequence, you have to start all over. This is port knocking. You have no idea where to start, how many times to press each button, and how long the sequence is. You have no way to get feedback about your progress (as you would with tumbler-locks, which are also Not security-through-obscurity).

Yet, you can be completely aware of the "code" behind this lock. I can tell you:

Someone is behind that wall, watching the buttons as they light up bulbs. This person knows exactly how many times each bulb should light, and which one should light first, second, third, and so forth.

So, the -way this works- is completely unobscured. Yet, it is still extremely good security.

This, and even when you're finally in the door, you're only just as well off as you would have been without using portknocking at all.
_________________
s/(?<!gnu\/)linux(?! kernel)/GNU\/Linux/gi

Don't blame me. I didn't vote for him.

http://john.simplykiwi.com
Back to top
View user's profile Send private message
OdinsDream
Veteran
Veteran


Joined: 01 Jun 2002
Posts: 1057

PostPosted: Mon Sep 13, 2004 3:59 pm    Post subject: Reply with quote

groovin wrote:
every default install of windows i have done has had telnet in it. I just tried 2 XP machines, 2 win2k, and one NT and they all had telnet. so i guess the admin removes it from the install him/herself, a default windows install should have it.


I'm sure you could find some online telnet clients, if you really needed to. I've always been able to download and run Putty when I came across a "secure" windows computer whose administrator had disabled the commandline.
_________________
s/(?<!gnu\/)linux(?! kernel)/GNU\/Linux/gi

Don't blame me. I didn't vote for him.

http://john.simplykiwi.com
Back to top
View user's profile Send private message
nielchiano
Veteran
Veteran


Joined: 11 Nov 2003
Posts: 1283
Location: 50N 3E

PostPosted: Mon Sep 13, 2004 4:19 pm    Post subject: Reply with quote

OdinsDream wrote:
I fail to understand why anyone claims portknocking to be an example of "security through obscurity." What I gather thus far is people notice this fantastically simple, genuinely unique and useful idea, and want to find a flaw in it. This is the best they come up with. It is not "obscurity."

Imagine a wall of 6,000 red unlit buttons evenly spaced. They open a door, if you press the right ones in the right order, but if you mess up during the sequence, you have to start all over. This is port knocking. You have no idea where to start, how many times to press each button, and how long the sequence is. You have no way to get feedback about your progress (as you would with tumbler-locks, which are also Not security-through-obscurity).

Yet, you can be completely aware of the "code" behind this lock. I can tell you:

Someone is behind that wall, watching the buttons as they light up bulbs. This person knows exactly how many times each bulb should light, and which one should light first, second, third, and so forth.

So, the -way this works- is completely unobscured. Yet, it is still extremely good security.

This, and even when you're finally in the door, you're only just as well off as you would have been without using portknocking at all.

or in short: it's a kind of password, using an "alphabet" of 65535 letters instead of the usual 62 (A-Z, a-z, 0-9).
It can consist of an arbitry number of characters (ports).
Back to top
View user's profile Send private message
OdinsDream
Veteran
Veteran


Joined: 01 Jun 2002
Posts: 1057

PostPosted: Sat Sep 18, 2004 5:59 am    Post subject: Reply with quote

nielchiano wrote:
or in short: it's a kind of password, using an "alphabet" of 65535 letters instead of the usual 62 (A-Z, a-z, 0-9).
It can consist of an arbitry number of characters (ports).


brevity is the soul of wit.
_________________
s/(?<!gnu\/)linux(?! kernel)/GNU\/Linux/gi

Don't blame me. I didn't vote for him.

http://john.simplykiwi.com
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum