| 1 |
On 10/14/2013 07:49 AM, Martin Vaeth wrote: |
| 2 |
> Michael Orlitzky <michael@××××××××.com> wrote: |
| 3 |
>> Port knocking is cute, but imparts no extra security. |
| 4 |
> |
| 5 |
> It does, for instance if you use it to protect sshd and |
| 6 |
> sshd turns out to be vulnerable; remember e.g. the |
| 7 |
> security disaster with Debian. |
| 8 |
> |
| 9 |
>> A better, secure way to achieve the same goal is with OpenVPN. |
| 10 |
> |
| 11 |
> Using yet another service with possible holes to protect a sshd? |
| 12 |
> In this case, I would like port knocking at least for this OpenVPN. |
| 13 |
> |
| 14 |
|
| 15 |
The sensitive parts of OpenVPN are audited regularly, and it uses "SSL" |
| 16 |
-- public key auth to exchange a symmetric key, both of which use |
| 17 |
tried-and-true algorithms/code. |
| 18 |
|
| 19 |
Port knocking on the other hand is just security through obscurity, and |
| 20 |
is visible over the wire (or over the air, most likely, if you're on a |
| 21 |
laptop). |
| 22 |
|
| 23 |
Obscurity does provide some benefit, but it gets dismissed because we |
| 24 |
tend to ignore the constant factor when talking about these things. A |
| 25 |
problem is "solved" if it's easy to exponentially increase the amount of |
| 26 |
work an attacker has to do. |
| 27 |
|
| 28 |
For an analogy, a somewhat-related issue is that of salting passwords. |
| 29 |
Typically one stores the salt in the database in clear text, and this |
| 30 |
tends to freak people out. |
| 31 |
|
| 32 |
Doesn't that make it easier for an attacker to brute force your |
| 33 |
passwords? Well, yes, but the salt isn't meant to stop a brute force |
| 34 |
attack. It's meant to stop rainbow table attacks. The way you stop brute |
| 35 |
force attacks is to use an algorithm with a variable number of rounds |
| 36 |
that can slow itself down (see: bcrypt). |
| 37 |
|
| 38 |
Hiding the salt would just be security through obscurity. You always |
| 39 |
assume that the attacker knows the details of your algorithm, including |
| 40 |
the constants. So while hiding the salt would make it a tiny bit harder |
| 41 |
to brute force, we ignore it in favor of the thing that makes it |
| 42 |
exponentially harder (variable rounds). |
| 43 |
|
| 44 |
Similarly, putting port knocking in front of OpenVPN is like putting a |
| 45 |
padlock on the bank vault. If someone is going to break OpenVPN, port |
| 46 |
knocking ain't gonna stop them. |
| 47 |
|
| 48 |
|
| 49 |
> It is exactly the kind of attacks for which one usually uses iptables. |
| 50 |
> You are right, iptables is just one extra step of security, so the |
| 51 |
> worst thing which can happen is that this step is useless. |
| 52 |
> However, if you are willing to risk this only because of your own |
| 53 |
> lazyness in scripting then why do you setup iptables in the first place? |
| 54 |
> |
| 55 |
|
| 56 |
All of my iptables scripts, even the big ones, run in under a second and |
| 57 |
get executed 2 or 3 times a year. There's some saying about a baby and |
| 58 |
bath water. |
| 59 |
|
| 60 |
It's not laziness I'm advocating, just simplicity. Simple, |
| 61 |
understandable code is more likely to be correct than clever code. And |
| 62 |
in this case, incorrect iptables code is more of a threat than the tiny |
| 63 |
race condition. |
Archives