Thoughts on portknocking to add another layer of security?

conceited

:pac:

Ronan H

Sounds like something I used to do on my neighbours door at Hallowe'en, albeit and technological version of it .

Sorry, I had to...it was there for the taking...

Head

conceited

I usually knock on doors myself

ntlbell

Your adding more complexity for little reward and heads down the road of security through obscurity.

There are far too many admins out there that don't cover the basics and more attention on this rather than fancy pancy over complicated nonsense and the world would be a better place

conceited

Having a bad day?

ntlbell

conceited wrote: »

Having a bad day?

Nope, a rough 10 years

conceited

Fair enough!

ntlbell

usually when looking for thoughts on something it's a good idea to start with your own.

What do you think about it?

JimmyCrackCorn!

Port Knocking is overkill and i dont think ists sutible if you mean commercial use. Its fine if your the home paranoid type.

TBH iv never seen anyone actually use it and i just remember reading the coad chunks.


Open VPN or tunneling over SSH is enough once you have an up to date system (that debian bug whos name shall not be mentioned).

conceited

I think it is not overkill or a security through obscurity situation.

Imagine having packet sniffer or firewall to allow a knock sequence of say 10 knocks or more. Then when the correct srquence is recorded, starting a ssh deamon. Wouldn't that be another layer "excellent" before entering a password to gain acess to the service provided. I think it's a great idea myself .It could even be used for covert channels and all interesting ideas.

ntlbell

conceited wrote: »

I think it is not overkill or a security through obscurity situation.

Imagine having packet sniffer or firewall to allow a knock sequence of say 10 knocks or more. Then when the correct srquence is recorded, starting a ssh deamon. Wouldn't that be another layer "excellent" before entering a password to gain acess to the service provided. I think it's a great idea myself .It could even be used for covert channels and all interesting ideas.

If you don't think it's security via obscurity then you simply haven't grasped what the phrase means. The tool was mostly used by script kiddies to hide listening services on a compromised box _hiding_

You're adding a level of complexity for the Sysadmin/Sec admin, you're adding another level of complexity for users for little or no reward as it's something than can be easiliy comprimised

Over the years this has been discussed by every sec profesional worth mentioning and crops up every now and then when the next bright spark discovers it and thinks it's a great idea.

If the basics are done right there's no need for it, it adds no real value.

conceited

If you don't think it's security via obscurity then you simply haven't grasped what the phrase means. The tool was mostly used by script kiddies to hide listening services on a compromised box _hiding_

Why do you feel it does? My understanding is very clear on that "term".

JimmyCrackCorn!

It appeared in phrack a long time ago with the soal purpose of as ntbell said of hiding a back door. A way to ensure that a listening service could not be detected. It was never intented to be used commercially.

To implement this you would need to run a sniffer or a dodgie kernel patch. This adds a layer of complexity and also adds a cost.

So ask youself the question what threat scenario will port knocking save you from?

Is it worth the time an effort of implementing?

If i deployed open VPN and secured it properly where would the weak points be? My guess would be the clients connectingto the server not the server. I know id target them before a well setup VPN server.

Risk analysis and Cost benifit analysys.

ntlbell

conceited wrote: »

Why do you feel it does? My understanding is very clear on that "term".

the hint is in the post....

conceited

If you don't think it's security via obscurity then you simply haven't grasped what the phrase means. The tool was mostly used by script kiddies to hide listening services on a compromised box _hiding_

I don't think you fully understand the concepts behind portknocking at all.
Port knocking uses access control.
How is it security through obscurity exactly?

ntlbell

conceited wrote: »

I don't think you fully understand the concepts behind portknocking at all.
Port knocking uses access control.
How is it security through obscurity exactly?

because the services are hidden?

Have a read around everyone even the original dev's accept that it's security via obscurity

some argue that as your adding oscurity as another level it's not as bad but it's globally accepted than people with a lot more knowledge than you or I to be security via obscurity

this argument is a bit retro..

are you very young?

conceited

JimmyCrackCorn! wrote:

It appeared in phrack a long time ago with the soal purpose of as ntbell said of hiding a back door. A way to ensure that a listening service could not be detected. It was never intented to be used commercially.

To implement this you would need to run a sniffer or a dodgie kernel patch. This adds a layer of complexity and also adds a cost.

So ask youself the question what threat scenario will port knocking save you from?

Is it worth the time an effort of implementing?

If i deployed open VPN and secured it properly where would the weak points be? My guess would be the clients connectingto the server not the server. I know id target them before a well setup VPN server.

Risk analysis and Cost benifit analysys.

I read many articles on it .I haven't seen that phrack article.You could use a simple bash script you don't need to make it complicated.
Services are exploited everyday and the exploit to break into a system is not avaiable to everyone, it's "private" like most exploits are.

If you target the client you'll obviously have a login and pass so it's irrelevant as portknocking doesn't give you anything extra in that sense.

Your under the impression portknocking was used instead of something else. I'm telling you it will compliment it by adding another layer of security.

ntbells wrote:

because the services are hidden?

Have a read around everyone even the original dev's accept that it's security via obscurity

some argue that as your adding oscurity as another level it's not as bad but it's globally accepted than people with a lot more knowledge than you or I to be security via obscurity

this argument is a bit retro..
are you very young?

Yes they are hidden.
But how does an attacker know they're hidden? Try connect with the server you get no responce back, none! Even if you tell the attacker it's being used it won't change anything.
Why won't it change anything? Well if he tries to guess the correct knock 2^16*protocol*flags*etc*etc how long do you think that would take?
He will be blocked after 4 attempts but he won't know that as he is not going to get a responce back anyway as i've exaplained already.
There's nothing obscure about an access control system, encryption and a logging system.

So now you say he can replay an sequence he sniffed on the network but which ip is it comming from?
As for the personal questions.
You "assume" alot.

FruitLover

JimmyCrackCorn! wrote: »

Is it worth the time an effort of implementing?
...
Risk analysis and Cost benifit analysys.

I think these are the ultimate questions/answers regarding an issue like this. Taking an example of runing an SSH server for personal use on a non-standard port; I think that's worth doing (minimal cost, obvious benefit). I wouldn't personally be arsed implementing port-knocking, but I could see a potential benefit (in that any extra step an attacker has to go through, no matter how small, might reduce your potential attacker pool).

Martyr

I think these are the ultimate questions/answers regarding an issue like this. Taking an example of runing an SSH server for personal use on a non-standard port; I think that's worth doing (minimal cost, obvious benefit). I wouldn't personally be arsed implementing port-knocking, but I could see a potential benefit (in that any extra step an attacker has to go through, no matter how small, might reduce your potential attacker pool).

I believe the point conceited makes is this:

in a big corporate network, your industry..whatever, no portknocking.

as for personal security as an attacker, hiding something within that big corporate network, perhaps your industry..of course its a good idea, can't see anything wrong with it tbh.

i asked a couple of guys working for big hosting companies "how do you detect rootkits on your server" and some of them answered "use nmap now and again" - see? thats fecking stupid.