1 |
On 10/14/2013 07:49 AM, Martin Vaeth wrote: |
2 |
> Michael Orlitzky <michael@××××××××.com> wrote: |
3 |
>> Port knocking is cute, but imparts no extra security. |
4 |
> |
5 |
> It does, for instance if you use it to protect sshd and |
6 |
> sshd turns out to be vulnerable; remember e.g. the |
7 |
> security disaster with Debian. |
8 |
> |
9 |
>> A better, secure way to achieve the same goal is with OpenVPN. |
10 |
> |
11 |
> Using yet another service with possible holes to protect a sshd? |
12 |
> In this case, I would like port knocking at least for this OpenVPN. |
13 |
> |
14 |
|
15 |
The sensitive parts of OpenVPN are audited regularly, and it uses "SSL" |
16 |
-- public key auth to exchange a symmetric key, both of which use |
17 |
tried-and-true algorithms/code. |
18 |
|
19 |
Port knocking on the other hand is just security through obscurity, and |
20 |
is visible over the wire (or over the air, most likely, if you're on a |
21 |
laptop). |
22 |
|
23 |
Obscurity does provide some benefit, but it gets dismissed because we |
24 |
tend to ignore the constant factor when talking about these things. A |
25 |
problem is "solved" if it's easy to exponentially increase the amount of |
26 |
work an attacker has to do. |
27 |
|
28 |
For an analogy, a somewhat-related issue is that of salting passwords. |
29 |
Typically one stores the salt in the database in clear text, and this |
30 |
tends to freak people out. |
31 |
|
32 |
Doesn't that make it easier for an attacker to brute force your |
33 |
passwords? Well, yes, but the salt isn't meant to stop a brute force |
34 |
attack. It's meant to stop rainbow table attacks. The way you stop brute |
35 |
force attacks is to use an algorithm with a variable number of rounds |
36 |
that can slow itself down (see: bcrypt). |
37 |
|
38 |
Hiding the salt would just be security through obscurity. You always |
39 |
assume that the attacker knows the details of your algorithm, including |
40 |
the constants. So while hiding the salt would make it a tiny bit harder |
41 |
to brute force, we ignore it in favor of the thing that makes it |
42 |
exponentially harder (variable rounds). |
43 |
|
44 |
Similarly, putting port knocking in front of OpenVPN is like putting a |
45 |
padlock on the bank vault. If someone is going to break OpenVPN, port |
46 |
knocking ain't gonna stop them. |
47 |
|
48 |
|
49 |
> It is exactly the kind of attacks for which one usually uses iptables. |
50 |
> You are right, iptables is just one extra step of security, so the |
51 |
> worst thing which can happen is that this step is useless. |
52 |
> However, if you are willing to risk this only because of your own |
53 |
> lazyness in scripting then why do you setup iptables in the first place? |
54 |
> |
55 |
|
56 |
All of my iptables scripts, even the big ones, run in under a second and |
57 |
get executed 2 or 3 times a year. There's some saying about a baby and |
58 |
bath water. |
59 |
|
60 |
It's not laziness I'm advocating, just simplicity. Simple, |
61 |
understandable code is more likely to be correct than clever code. And |
62 |
in this case, incorrect iptables code is more of a threat than the tiny |
63 |
race condition. |