Why Not Use Port Knocking? (2012)

36 点作者 srisa超过 11 年前

13 条评论

zippergz超过 11 年前

I don't use port knocking, and I'm not convinced anyone should. But something bugs me about this kind of discussion.There are two broad classes of attackers: targeted attackers, who specifically want to get into your system, and script kiddies who are scanning broad swaths of the Internet looking for an easy target. Most of these countermeasures, like port knocking and moving sshd to a different port, do very little to dissuade the first group. But they make you much less of a target for the second group.These discussions (and so many security discussions on the internet) make the argument that unless something is effective against targeted attackers, it's not worth doing. That's ridiculous. In the 20+ years I've been running computers on the internet, targeted attackers are outnumbered by random scans thousands to one. Of course, you'll say, any countermeasure that's good enough to stop targeted attackers is good enough to stop these guys as well. And that's true, but for two things:1. I like my logging and alerting to intentionally be loud when a targeted attacker is messing with my system. By raising the bar enough so that only targeted attackers get through, I'm able to do that.2. There have been zero-day vulnerabilities in probably most of the daemons I've run over the years. And when those zero-days come, I inevitably get hit with random scans looking for vulnerable versions. Those are almost always stopped cold by things as simple as running on a different port. I'd like to think I'm pretty good at keeping up with vulnerability alerts and updating my software when something like that happens, but simple changes that buy me a little time aren't a bad thing.

评论 #6482690 未加载

tptacek超过 11 年前

Obligatory: I think port knocking is really silly and you shouldn't waste time with it. Disable root logins and password logins in SSH. If you have lots of hosts running SSH, collapse them down to one exposed SSH bastion host. Then get on with your life.

评论 #6482314 未加载

评论 #6482674 未加载

评论 #6482311 未加载

评论 #6485062 未加载

评论 #6482819 未加载

评论 #6483059 未加载

Sami_Lehtinen超过 11 年前

I personally see port knocking with cryptographic payload just as one tool on layered security. I'm still wondering why people bother horrible VPN/IPsec junk with annoying clients. I got something like 10 different clients installed. It shouldn't be required at all, if systems and protocols are already secure. You can use something like TOTP key as payload to open ports up or something more complex/secure if you want.Afaik passwords aren't bad option either. You should consider password as shared secret blob, not as password. It's as unlikely that someone is going to guess 256 bit password as it is that they guess any other 256 bit secret.

arethuza超过 11 年前

Completely off topic - I find the term "Port Knocking" somewhat amusing as my home village is Portknockie<a href="http://www.portknockiewebsite.co.uk/" rel="nofollow">http://www.portknockiewebsite.co.uk/</a>[NB I say home as my family has been there pretty much forever, I live in Edinburgh]

评论 #6482709 未加载

teddyh超过 11 年前

> Title: Why Not Use Port Knocking?For me, the answer is simple: It violates Kerckhoffs’s principle¹. If you want more secret bits that users need to know in order to access your system, increase your password lengths. If you want to keep log sizes manageable, adjust your logging levels.1) <a href="https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle" rel="nofollow">https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle</a>

评论 #6482225 未加载

评论 #6482497 未加载

评论 #6482762 未加载

评论 #6482248 未加载

Zenst超过 11 年前

I've used it before, though this article seems to be fixated upon a fixed port sequence and fairly compares that to a password layer that is futile as between you and the server your knocking many people can see and know that sequence, making it moot.Which I agree with. But if you use a port sewquence derived from a S/KEY, then each port knock sequence is a one time sequence never to be repeated.It is a simple and dirty level of security using the much hated obscurity approach, but by varying the ports via a aranged S/KEY sequence you can move it up a whole level. S/KEY easy to do and worked well on old old old nokia over 10 years ago as a little simple java app. Just using it to derive a port sequence instead of a one time password.

lazyant超过 11 年前

I don't use port knocking but:"all implementations had the downside of adding yet another piece of clearly experimental software to my system along with somewhat convoluted procedures for setting the thing up" what? you can add port knocking with literally 3 iptables rules, netfilter is a rock-solid proven piece of software."explain to me what problem this is supposed to solve." visibility: if target cannot be found there's no target to attack; security by obscurity is good (as long as security doesn't depend just on it).I use bastion host to ssh to my servers with key and different port (yes different port is good; for a couple of sysadmins who cares we broke some standard?)

评论 #6482564 未加载

cperciva超过 11 年前

I don't use port knocking because spiped is simpler and far more secure.

评论 #6482988 未加载

srisa超过 11 年前

Each value is a 16-bit number, with a size of two bytes, or equal to two ASCII characters or one Unicode character. Port knocking examples generally do not run to more than three packets, which means that the minimum amount of information a prospective attacker would need to get right in order to gain access is six bytes, equal to six ASCII characters or three Unicode characters.Is the brute force effort being simplified too much? Wikipedia entry says this about brute force attack on port-knocking: As a stateful system, the port would not open until after the correct three-digit sequence had been received in order, without other packets in between.That equates to a maximum of 655363 packets in order to obtain and detect a single successful opening, in the worst case scenario. That's 281,474,976,710,656 or over 281 trillion packets. On average, an attempt would take approximately 9.2 quintillion packets to successfully open a single, simple three-port TCP-only knock by brute force.

评论 #6482973 未加载

oakwhiz超过 11 年前

I wonder if some port knocking schemes can be attacked using a De Bruijn sequence. If the firewall only examines the last N potential knocks amongst K ports, sent from a given IP address, then every possible combination of knocks can be bruteforced in just K^N knocks (by taking into account the existence of every permutation as a subsequence within the De Bruijn sequence) instead of the more obvious (K^N)*N knock solution (naively trying each permutation in sequence.)<a href="https://en.wikipedia.org/wiki/De_Bruijn_sequence" rel="nofollow">https://en.wikipedia.org/wiki/De_Bruijn_sequence</a>

gmuslera超过 11 年前

fwknop ( <a href="http://www.cipherdyne.com/fwknop/" rel="nofollow">http://www.cipherdyne.com/fwknop/</a> ) uses a single connection try (with certificates and that cannot be replayed even if captured) to open a port. It adds another potential point of failure in your chain to access, but if is simple and well tested enough could work as a protection.And the main reason to have port knocking (over, i.e. fail2ban) is not stopping brute force attacks, but future vulnerabilties and exploits in services that should not be used by the whole internet. If there are very few persons, or machines that should connect to a service (and the origin IPs are not fully known to enable just them in the firewall) putting a fwknop or similar layer over that services should avoid external people to even try to connect to those services.And there actually had been vulnerabilities in ssh, vpns, puppet (a remote code execution vulnerability for it has been patched this very week) and more that could had been exploited before you knew about them.Also, "plain" port knocking could be protected against brute force scanning by having trap ports, if you hit them, then your IP is blocked. That won't protect from MITM that see how you connect (NSA at the very least), but will prevent scanning.

utnick超过 11 年前

I see port knocking as protection against an 0day sshd exploit instead of protection against brute forcing.The article didn't really mention that angle.

antocv超过 11 年前

That was a lot of words to encourage use of authors own tool instead of or aside perhaps even with port knocking.The article hasnt anyway delivered any meaningful reason not to use port knocking, just a few straw-man arguments such as "most people only setup 3 port sequences".The idea presented though is an interesting one, run your ssh on one port, and when that one authenticates with any method, only then allow connections to a second ssh on another port, which has perhaps only then begun listening or being allowed to accept connections from that specific uid, and if that authenticates then the user is in. Like having two gates infront of a city instead of a secret handshake with 16 port sequences say.