What is Digg?47 Comments
- inactive, on 10/12/2007, -13/+5480% of people use your mom, but that doesn't mean she's superior. It just means she's more easily accessible.
- jackl, on 10/12/2007, -1/+13@merreborn - I think you're missing the point here. The author isn't saying that this is a substitute for any other security measure, just an additional one that takes advantage of the way a typical attack transpires.
In most attacks, the attacker first does a port scan on the target machine to get a list of the services (ports) which are available for attack. Using this method, the SSH port (22) would show as either closed or filtered, which would tend to discourage the attacker from attacking that port. The chance of them knowing that you're using knockd, and then going through the hassle of trying every possible combination of port sequences, is very, very small.
On the other hand, if knockd were to be used everywhere, then your objection begins to make more sense, because it would become more typical for an attacker to try to defeat knockd first.
Remember, the point of these defenses isn't to make your machine unhackable - there ain't no such thing. The point is to make it difficult enough that they'll go off and try someone else's machine. - merreborn, on 10/12/2007, -4/+10AmericaFirst is just a troll. That's what the Block button is for.
- aamer, on 10/12/2007, -1/+7@merreborn
I understand that point, but you cannot just casually say "once stealth is taken out of the equation" because stealth is the *whole point* of this program! As per the instructions for this software, you should still use strong passwords and apply normal security principles. This is just an added benefit.
This is not meant to be a cryptographically strong protection. This is akin to steganography on top of cryptography. - jonwatson, on 10/12/2007, -2/+8Now that is cool.
- mmmooo, on 10/12/2007, -1/+5Far from a new idea, and isn't as secure as it sounds. Closer to the security by obscurity concept. Single encrypted packet knocking is far superior, and have been using it for some time.
http://www.cipherdyne.org/fwknop/ - merreborn, on 10/12/2007, -7/+11This seems like a silly, silly idea. A series of 3 port numbers is really just a 6 byte password. This guy said it even better:
"Once stealth is taken out of the equation, it becomes clear what port scanning really is. A port is not a physical object but merely a 16-bit integer. A sequence of knocks is therefore just a sequence of bits that lets you in -- in other words, a passphrase. So port knocking is simply a method to authenticate yourself with a passphrase. The obvious question then is, in what way is this convoluted and inefficient method of sending a passphrase across a network better than the straightforward method of putting it in a packet and sending it?"
http://software.newsforge.com/software/04/08/02/1954253.shtml - ericmoritz, on 10/12/2007, -0/+3I use knockd and I love it. I don't know if it's a false sense of security but it does seem better than keeping ssh open all the time. All I do is knock out a series of ports and ssh opens for my IP only. That seems 100 times better than leaving a port open.
- PrionHunter, on 10/12/2007, -0/+3Port Knocking was supposed to be the big thing a few years ago but it never really materialized because people either treated it as either a mechanism of security through stealth or a convoluted password system. Projects like the one above are fairly bad examples of how port knocking should be implemented but great examples of its use. It is a single point of defense that you can use as an extra layer of security. Say you have a box, no a veritable horde of boxes . Now say a zero day exploit comes out and a service on some of those boxes is vulnerable to a buffer overflow attack. If you went with port knocking as a layer of defense then you're golden until you can get things patched. A dedicated hacker could still crack the port knocking daemon with a packet sniffer which is why you probably would want a port knocking daemon something that actually has Real security (try http://doorman.sourceforge.net/ , not perfect but it does some good stuff).
- kaidadragonfly, on 10/12/2007, -1/+4GNU/Linux has a slow adoption rate because people first have to know *what* an OS is (most of the public has no idea what an operating system is). And then they have to figure out how to install the thing.
That's even before they try to figure out how to use it, and find applications that match what they had in Windows. - humanaut, on 10/12/2007, -0/+3This isn't just a convoluted and inefficient form of passphrase authentication. The core idea is that your server can be sitting there with no active ports listening. No listening services = no attack surface. People who are serious about security understand that having the latest version of OpenSSH running on an obscure high port won't protect you from real blackhats with real 0days. They also understand that a server with no listening services is, for all intents and purposes, invulnerable to remote attackers without some kind of client-side attack.
Port knocking can be defeated. Obviously if you can sniff the traffic you can figure out the sequence, but I'm sure a botnet with a few thousand nodes, running continual portscans and sending zillions of port knock sequences per millisecond, would eventually get lucky. Sounds implausable... ridiculous.. but then again, so did the concept of brute forcing DES 10-15 years ago.. perhaps the technology to achieve this will be commonplace in a few short years. - aamer, on 10/12/2007, -1/+4@merreborn
"Now, tell me again how this is a good idea?"
Hmm, because a port scanner will not be able your SSH server apart from the 99% of other computers that do not run ssh daemon, how about that?
In any case, I'm not saying this is a perfect solution and I certainly agree the benefits will diminish with rising popularity, but the point is that it is just extra protection. And I don't think this type of program will gain mainstream acceptance anyway, so basing your whole argument on that theory is not too useful because 5 years down the road, most people will probably not be using this. But even if they are, it's still an added benefit in terms of hiding your server. - sugardaddy4242, on 10/12/2007, -2/+5Simple yet very powerful tool.
- asleep, on 10/12/2007, -2/+4An interesting idea and very clear tutorial.
- samuelbentrup, on 10/12/2007, -1/+3One thing I used to do was setup an external site that I would post a text file to containing my ip address. My box would check that site often, and if it found that text file would download it, delete it, and run a script allowing the contained ip address access for 60 minutes.
Sure that opens up the ability for someone to hack a 2nd box then gain more access to mine, but it does add another layer that would prevent most conventional methods.
-Sam - ColdDimSum, on 10/12/2007, -0/+2You could also have your 'knockd' change the sequence every time it's used, thus preventing replay attacks (and there are tricks you can use for time-based private sequences ala SKEY). You could also "randomize" the resulting opened sshd port every time. We used to call this type of passive service a doorbell. What it does provide in terms of security is hiding your services from passive scanning attacks and there is something to be said for that.
- bugsy187, on 10/12/2007, -0/+2I don't use Windows XP because it's superior, I use it because Gates uses unfair business practices to squash the competition. Most software, such as games, is written for Windows. If I want to play new games I'm forced to use XP. Lets be honest, Windows is clunky and inefficient. OSX is superior in many ways and many professional critics agree. Ubuntu, from what I hear, is a better OS, too.
- rastan, on 10/12/2007, -0/+2Indeed. I remember when it first came up a few years ago, it was good fun. This isn't much more than security through obscurity though, but then of course so are passwords.
- xocomil, on 10/12/2007, -0/+2I agree that this is no more than another password, but it is an interesting password at that. I've been thinking about this for a little bit and am curious about what harm is caused by this. You can configure the number of knocks and the port sequence needed for that knock. Someone please correct me if I'm wrong, but let's say that I configure my knockd daemon to listen for 8 knocks from random ports in the 50,000 to 60,000 range. If I'm only using tcp ports, then they have 10,000^8 possibilities for knocks (or 1e32). If I add udp also (like the tutorial said, then I have twice the number of possibilities (2e32). Assuming that the attacker has to check my SSH port after each attempt to see if I've opened it, then brute force by randomly generating ports becomes a chore because every check of port 22 (assuming a default setup) resets the knock. If they don't know how long the knock needs to be, this can become a serious chore.
Obviously a packet sniffer between you and your Linux box makes this "password" almost worthless, but the fact that you can have the daemon close the SSH port for you after a specified number of seconds adds some frustration to the equation. Now they have X seconds to test user names and passwords on your SSH port before that port is closed and they have to knock again.
I will be the first to concede that I'm not a security expert by any means so I would appreciate any input as to how having knockd and a locked down Linux box is detrimental assuming knockd is implemented as part of a well thought out security plan (all unnecessary ports closed, good passwords, etc). - finite, on 10/12/2007, -0/+2Of course, if an attacker can sniff you connecting to your server using knockd, then they can easily replay your knock later. And get to an SSH port. Where they still must authenticate to SSH like normal.
One thing I think this is actually useful for is the frightening-but-real potential scenario of an OpenSSH vulnerability and a resulting worm, where zombies are suddenly scanning for vulnerable ssh ports all over the internet. In that scenario, port knocking keeps your vulnerable openssh port protected from the zombies, unless the zombies have spare time to brute force the 48bit (16*3) keyspace of a 3-port knockd knock on every host that doesn't appear to be running SSH. Which is unlikely. - Novagenesis, on 10/12/2007, -1/+2Security By Obscurity Isn't... (Someone tm'd this or something, but I don't know who).
Let me put it this way. It's lke just adding a second password and -taking away- hardwired security...
Except, the knockd configuration file isn't encrypted like a good password file is.
Sure, it's serious obscurity that requires potential insider knowledge, but it's still an intentional hole.
But honestly, I think i like knockd. Just imagine the kind of FUN you can have by changing someone's configuration file and knocking...
Knock Knock, boom - todayintech, on 10/12/2007, -0/+1After reading about boots under a mom's bed and port scanning, I will get to the point, you can port scan my connection as much as you want and you will not find my knockd running or able to access the port that is currently stealth. So this is great security, and it's not security through obscurity. If I changed my TS port from 3389 to 7455 that's obscurity, taking steps to stealth 7455 and using port knocking to provide access through that port is security. Now if someone could make a tutorial to add knockd to a linksys wrt54g and provide a windows app to do the knocking, that would be more useful than reading about someones boots.
- jackl, on 10/12/2007, -1/+2@merreborn: Actually, if you'll read my comment, you'll see that I agree with you there. If knockd becomes ubiquitous, it won't add much, if any, security. If.
However, today, this is not the case. Attackers use port scanning. Today. So, any defense which works against port scanning helps. Today.
That's the difference between computer security as theory, and computer security as reality. There are no solutions which will work five years from now, because we haven't got the slightest idea what we'll be facing five years from now. All we can defend against is the attacks we face now. And this, for now, is effective. That is the point. - jackl, on 10/12/2007, -1/+2"Simple password security has been in use for decades longer. It's still pretty solid, too".
Afraid I'm going to have to disagree with you here. The number one way that attackers gain entry to systems is through...passwords. Insecure passwords. Passwords that people leave on post-it notes in their cube. Social engineering. Passwords are very, very, very, very insecure. Why do we still use them, then? Because all of the more secure solutions aren't cost effective. Smart cards cost a lot and are complex for people to use. PKI is way too complicated.
Security in the real world (as opposed to the world of security theory where you find the perfect solution and leave it at that) is a matter of tradeoffs. This is a good solution for the real world because it combines ease of implementation with relative high security for the moment. It's a terrible solution for the theoretical world because of all the reasons you list. Unfortunately, we live in the real world, and have to deal with real-world problems, and real-world solutions.
Feel free not to use knockd, or any other solution which isn't "perfect". I prefer security in depth, which means using lots of imperfect, but very useful, solutions.
And that's all there is to that. ;-) - jbestrom, on 10/12/2007, -1/+2@americafirst - yes most people do pick windows it is so much easier to use. My point was that you can't just say Don't use Linux cause most people use windows so its better, more is not always better.
@evilcow - I don't know if you know this but a lot of the time it is hard to portray and/or read sarcasm in text form. - PrionHunter, on 10/12/2007, -0/+1The knock sequence isn't important to port knocking. Really, there are some good implementations that have already been mentioned above that use just a single packet sent to a single closed port. The contents of this packet are any number of things like a hash created with a shared secret etc. Port knocking is really just like a password protected blanket with porous properties when done right.
- rsteinke, on 10/12/2007, -2/+3That has to be the most creative solution to this I've ever seen. A secure, simple and flexible solution for anyone who needs to minimize access as much as possible to a linux system while maintaining ease of use for people who belong.
Now, I only wonder what happens when you combine this with tarpit, the program that opens every port on the system to make port scans fail footprinting. - jbestrom, on 10/12/2007, -8/+9Yes and that is why almost all of the attacks on computers happen to windows machines.
PS I use both windows and linux I just hate when people make comments like this. - jacks0n, on 10/12/2007, -0/+1"80% of the people know Windows is superior, that is why it has that much market share...."
No. 80% of the people don't even know there's an alternative. 80% don't even know what an OS is. Windows was the easiest, and perhaps the best OS for the general public back in it's day (what.. like a decade ago?). And unfortunatly once everyone started using it, the formats became standards, and no matter how good OS X/linux/BSD/or *nix is ... they'll take time to catch on. - WorldGroove, on 10/12/2007, -1/+2I did some asking around.... it seems most people use windows, because they're simply not aware anything other than windows exists.
- PrionHunter, on 10/12/2007, -0/+0@today
The kind of security a port knocking implementation has varies widely. If you aren't worried about people making a directed effort at targeting you and port knocking stays more a rarity than a widely used best practice then sure you're secure.
But now say you had a dedicated hacker sniffing packets and this hacker figured out that before a connection with an outside host is established there are these packets that keep getting sent to the same sequence of ports.
If the port knocking daemon and client don't use some concept of cryptography, even just a shared secret, or take into account security as a serious concern I wouldnt suggest using them. - sigmaman2, on 10/12/2007, -3/+2@AmericaFirst
BTW, Windows is neither solid, nor an app. - merreborn, on 10/12/2007, -3/+2'I understand that point, but you cannot just casually say "once stealth is taken out of the equation"'
If port knocking becomes popular enough that it's deployed on a large fraction of the servers on the net, then stealth is absolutely out of the equation, and it's just another password scheme. A convoluted password scheme. The only reason it's 'secure' now, is that it's obscure.
And you know what they say about security through obscurity. - Alex2, on 10/12/2007, -1/+0Port knocking has been around for several years (at least six, when I first heard of it) It just hasn't caught on to be mainstream.
Google search of knockd bugs
http://www.google.ca/search?hl=en&q=bug+in+knockd&btnG=Search&meta=
I think that one reason it doesn't work is because it's more of a 'one user, one sneaky method to get in' way of obscuring an entrance.
Trouble is, you cannot rely on this in an organization where people come and go, because then you would have to change the whole knock sequence and let everyone on the list know.
May as well just use VPN when dialing in. Commercial firewalls already support vpn efficiently. - Novagenesis, on 10/12/2007, -1/+0It's obscurity if you can put the entrance method onto a piece of paper.
I could write all day, but there's no way I can tell you how to go onto my port if my firewall says "no way".
Further, if I encrypt something, no amount of passwords would work without having the key in hand...
That's security.
"I use a neat trick to open a port, and noooobody else knows it..they can't even tell the trick exists" = obscurity, no matter how close that is to secure
I can just imagine the company I work at enabling a knockd to allow "just anyone with the right password AND the knock trick" to get in
But on a more serious note... Is there a lockdown factor?
Since knockd -is- like a password, if someone were to try to brute-force in the assumption that knock might exist, is there a method to crash itself and block the attempt? If so, it's a little more secure, but still... - solarpowered, on 10/12/2007, -2/+1Make that ("to boldly go", etc.)
- sigmaman2, on 10/12/2007, -2/+1@AmericaFirst.
Yes, itshould have a marginally better market share...which it is earning. With each report, Linux's share does get "marginally better".
There was a point where Windows market share was 94 to 95%. Now it"s around 80%. If Windows is so superior, why is the market share shrinking? And why is Linux's share getting "marginally better"? - solarpowered, on 10/12/2007, -2/+1The headline uses a split infinitive "(to boldly go", etc.).
Bad style. Shows a certain ignorance. - sancho, on 10/12/2007, -1/+0One problem I have with portknocking is that it's overly complex. Why "knock" on several ports? Why not just send a passkey to a single port? You can use one-time passwords (S/KEY- or OPIE-based) to prevent replay attacks, and your "knock" doesn't look anything like probing or a port scan to people inline to your computer.
- merreborn, on 10/12/2007, -3/+1"There are no solutions which will work five years from now, because we haven't got the slightest idea what we'll be facing five years from now"
Um. There are pleanty of common encryption schemes that have been in use for over a decade. They're still secure. Simple password security has been in use for decades longer. It's still pretty solid too. There are pleanty of security schemes that last a long time. Any scheme that relies on the scheme being unpopular is a bad one. That's all there is to it. - sigmaman2, on 10/12/2007, -4/+2@AmericaFirst
Most people don't CHOOSE windows. Most people have windows FORCED ON THEM. They use windows because it's the only choice given to them, and they don't realize that there are other OS choices. The majority choice is not the quality choice. - NeoMike, on 10/12/2007, -2/+0Tell me again why you need a daemon to do this? Any idiot with basic iptables knowledge can build port knocking using the "recent"module. I've been using it for years now. Also, this isn't security - it's security through obscurity. Do this on a wireless network I'm near and I'll instantly know how to access your ssh :-p
How'd this make the front page again? - xose, on 10/12/2007, -4/+1If Linux had the 80% market and we got hit by viruses and hackers (which is unlikely anyway) you can be sure that we'll be getting free and fast security fixes and updates forever without all the "Prove me you're not a pirate before I let you protect your computer" crap Windows users have been getting recently.
BTW, nice app! Might come in handy when I need to ssh my home computer from university ;-) - inactive, on 10/12/2007, -3/+0knock clients will be the next spam. Soon I'll be knoc ked up up .... and I am a male!
Not that it is anything that can't happen now, it is just that nobody had any reason to send the common "knocks" at me all day and all night. Folks will soon learn the new Knock equivalent of "sex" as a password and start hammering every server on the net. - merreborn, on 10/12/2007, -5/+1jackl: Assume for a moment, that we're looking back from 5 years in the future, where everyone's jumped on the knockd bandwagon. Now, attackers KNOW that you're using knockd, because it's so popular.
Now, tell me again how this is a good idea? - aamer, on 10/12/2007, -7/+1oops, didn't mean to start a new thread ... bury this
- evilcow, on 10/12/2007, -11/+3Sigh, good sarcasm is lost on so many.
© Digg Inc. 2009
— Content created and posted by Digg users is