| 1 |
On Saturday 02 February 2008 08:42:25 pm Grant wrote: |
| 2 |
> > > port-knocking is the biggest load of fud (Microsoft products apart) I |
| 3 |
> > > have heard about in ages. The term snake-oil comes to mind, as |
| 4 |
> > > does "security by obscurity and obfuscation" which we all know is no |
| 5 |
> > > security at all. |
| 6 |
> > |
| 7 |
> > Uhm. Security by obscurity is not good because it hides something *that |
| 8 |
> > is known for sure to be there*. Port knocking, on the other hand, makes |
| 9 |
> > a computer appear as if nothing is there. No open ports. |
| 10 |
> > A computer with all ports closed which uses portknocking and a computer |
| 11 |
> > with just all ports closed cannot be told apart from remote, either by |
| 12 |
> > portscanning or whatever mean. What the attacker sees is just "no open |
| 13 |
> > ports". It could, of course, imagine that port knocking might be in use, |
| 14 |
> > but even in that case, he would have to discover the knock sequence. |
| 15 |
> > With a knock sequence long enough (say, 8 ports), the likeliness of such |
| 16 |
> > a discovery is really low (1/65535^8 in this case). And, even if he |
| 17 |
> > succeeds, he just opens a port (as if there was no portknocking), and |
| 18 |
> > still has to violate whatever security measure is in place for the |
| 19 |
> > service (eg, ssh authentication). |
| 20 |
> > |
| 21 |
> > > I don't care if the originating process knocks on the well known port |
| 22 |
> > > with gold plated gloves hand braided from the finest Unobtainium by |
| 23 |
> > > seductive alluring Puerto Rican virgins, the receiving machine still |
| 24 |
> > > has to open another port short thereafter. This is not a magic port |
| 25 |
> > > and is not wrapped in Star Trek's finest stealth cloak, it's a port |
| 26 |
> > > that does TCP/IP stuff. |
| 27 |
> > > |
| 28 |
> > > If the end process listening on the newly opened port is in any way |
| 29 |
> > > weak - and this is the only possible reason anyone would ever try the |
| 30 |
> > > port knocking workaround - it's just as weak when it's listening on an |
| 31 |
> > > obfuscated port number. |
| 32 |
> > |
| 33 |
> > This is not true, for at least two reasons: |
| 34 |
> > |
| 35 |
> > - the port stays open only for the duration of the connection, not all |
| 36 |
> > the time; |
| 37 |
> > |
| 38 |
> > - at least with some implementations, the port is opened *only to the IP |
| 39 |
> > address of the user who did the knock*, not to the whole world. |
| 40 |
> > |
| 41 |
> > > If it's open, I can find it. If it's weak, I can get in. Then it's game |
| 42 |
> > > over, go home, I win. |
| 43 |
> > |
| 44 |
> > See above. |
| 45 |
> > |
| 46 |
> > > I've yet to hear positive things about port knocking from someone who |
| 47 |
> > > actually implemented it fully. In truth it's just a major pain in the |
| 48 |
> > > arse that makes the admin's life miserable and gives the boss a warm |
| 49 |
> > > fuzzy feeling based on hot air. |
| 50 |
> > |
| 51 |
> > I don't know about large setups, where it might be very possible that |
| 52 |
> > port knocking becomes a major PITA as you say. But I have setup and used |
| 53 |
> > port knocking for remote ssh access lots of time in the past, and never |
| 54 |
> > had a problem. This is just my little experience, of course. |
| 55 |
> |
| 56 |
> OK, port knocking is going back on the todo list. |
| 57 |
> |
| 58 |
> - Grant |
| 59 |
|
| 60 |
Wow... that was easy... |
| 61 |
|
| 62 |
|
| 63 |
:') |
| 64 |
|
| 65 |
|
| 66 |
|
| 67 |
|
| 68 |
-- |
| 69 |
|
| 70 |
|
| 71 |
From the Desk of: Jerome D. McBride |
| 72 |
-- |
| 73 |
gentoo-user@l.g.o mailing list |
Archives