M. Fioretti wrote:
On Sat, Feb 17, 2007 13:34:39 PM +1300, MrKiwi (mrkiwi@xxxxxxxxx)
wrote:
Beware of the thread ...
http://slashdot.org/it/04/02/05/1834228.shtml?tid=126&tid=172
on Slashdot regarding Port Knocking - there are some good points,
but loads and loads of misinformation and uninformed whining about
Port Knocking lowering your overall level of security.
May we ask you to sum up in a few lines both the good points and the
misinformed/whining ones?
Thank you in advance,
Marco
Sure;
Gems/Insightful comments.
"Thus, it is impossible to distinguish a totally silent box
(listening on no ports, dropping all packets) that has
implemented port knocking from a box that is merely totally
silent."
"The idea has been around but this is the first real
implementation I've heard of; would make port scanning
completely useless. The problem is relying on additional
client-side tools. I guess you could manually telnet to a
series of ports quickly, then opening the ssh connection but
the special packet idea wouldn't work unless you had proper
tools on the client side."
[Note there are now many client side tools (nix/win/mac)
which implement port knocking and/or SinglePacketAuthorization]
"The funny thing is, why open up ports in a general fashion?
Why not just open up those ports to connections from the IP
that knocked?"
Most good implementations do just this - you knock, the port
knocking server opens the firewall for ONLY your ip to
connect to ONLY one port. EvilHacker can still scan the
server and find no open port.
"Don't rely on something remaining secret unless you're
willing to protect it as a secret. This "knock to open" is
just another hoop a cracker has to jump through on the way
into your machine. It will stop the clueless ones cold until
they read about how the observant ones got around it, then
it won't stop anybody.
But it might also lull the owner of the box into a false
sense of security, and to the extent it does, it's a bad idea."
The first part of this is true - but in the same way that
"brute forcing an encrypted packet before its payload
becomes of no value" is another hoop that thankfully few
crackers have managed to jump through.
In my opinion, port scans which lead to login or cracking
attempts will still make up the bulk of malicious traffic
for a long time yet. Port knocking reduces your visibility.
The enemy already has infrared goggles, so why does the army
still wear camo?
The second point is the most dangerous part of port knocking
- a false sense of protection.
Whines/Missed the point/Plain wrong.
1. "This doesn't seem like much of an advantage over simply
using different ports for services"
It has the advantage of being able to use standard OR
non-standard ports, however only *your* clients can even see
the open port to connect to.
An analogy would be; a lock-picker can easily pick your door
lock. If he must know a special 'knock' pattern before he
can even see/touch the lock, his lock picking skills become
much less valuable.
2. "the whole thing seems kind of insecure to me without a
method to dynamically change the knocking sequence"
No - All port knocking does is hide the open port from
people who dont know the knock. (caveat below). This in no
way introduces any kind of insecurity.
Caveat: port knocking can be implemented with crypto-style
payloads to eliminate the risk of a replay attack, so even
knowing the port knock sequence doesn't open the port if you
don't have a way to generate the correct packet payloads.
I don't know much about this, however there is a more
advanced version which builds on this (and other concepts
too) - Single Packet Authorization. Google it.
3. "Something tells me I'm going to be seeing a lot bigger
firewall logs in the future, as this catches on."
Nope - No more than the 000's of log entries you already get
from port scans.
4. "Open a whole range of ports--say, a couple thousand.
Then an attacker won't (easily) be able to try all the
possible knock sequences."
This misses the point - you leave the ports closed. An
attacker cannot (easily) tell the difference between a
port-knocking protected ssh port, and a server which is not
running ssh. In both cases, the ssh port is closed. In the
first case, it only opens after you knock on a seq of
*closed* ports. In the second case, no combination of
knocking on ports will open the ssh port.
5. "Ports that are closed but part of the knocking scheme
would return a connection refused, while all the other
(filtered) ports would simply be dropped"
No - Your firewall will not REJECT the packets, it will DROP
them, no differently to before port knocking.
6. "This isn't going to catch on. It's not more secure and
it wastes more resources.
Why would this be any more secure than listening on a single
port for the "unique knock sequence?" Any good admin knows
the most secure system is one that is listening on as few
ports as possible."
Missed the point completely. I will break it down;
a. "This isn't going to catch on". Thanks Nostradamus, but
it already has.
b. "It's not more secure ..." Yes it is. Crudely, less open
ports => more secure.
c. "and it wastes more resources." - No. A watched series of
ports takes barely more resources than `tail
firewall.log|portknockingserver`, and many times less than
are used when an attacker connects to an open port.
d. "Why would this be any more secure than listening on a
single port for the "unique knock sequence?" Because
listening 'on a single port' would be either an open port,
or opened by a port scan.
e. "Any good admin knows the most secure system is one that
is listening on as few ports as possible." Yay! you got one
right. The word 'listening' is an unfortunate term for what
port knocking servers do. 'Watching' would be better. They
dont open any of the watched ports.
7. "i submit it could actually be less secure...
1. dos attacks!
2. sniff the port knocks"
No - DOS requires that you (the attacker) consume resources
on the target box to a point where services are denied to
legit users. If a vicious level of port scans cannot DOS the
firewall, then a well implemented port knocking server will
not be easily tipped over by this.
It has been shown that even in the middle of a DOS attack, a
port knocking implementation will still open the ports for
legit users, however there is one situation where you can
replay packets to prevent a valid user getting an open port.
SPA solves this issue.
Sniffing the port knocks only gets you an open port ... you
still need all the skill/luck to break (say) ssh once you
get an open port, so it is no less secure than a web facing
ssh port. In fact some implementations close the port after
x failed attempts, so basically you are wrong.
8. (in reply to the suggestion to use one-time port
sequences) "If you're going to go so far as to require a
one-use pad, then you can forget about the whole "port
knocking" concept -- there's no stronger password than a
1-use password."
Missed the point. Port knocking mitigates zero-day security
issues, like ping-of-death etc. Even the most simple port
knock seq will protect you from portscan->automated hacks.
No password - even shell=/dev/null - will protect you from
that.
The point is that of your ports are open, your pants are down.
That pretty much wraps it up.
MrKiwi,
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
