Results 1 to 8 of 8

Thread: Improve security with Portknocking

  1. #1
    Join Date
    Apr 2004
    Location
    Netherlands
    Posts
    1,307

    Improve security with Portknocking

    I just read an interesting article in the Dutch C'T magazine about Portknocking:

    Because a lot of WL-500g users have services running on the WAN side, security is an issue for them. While most home users won't be a major target for hackers, one should do as much as possible to prevent hackers accessing the router and LAN clients.

    Compromised networks can be used by hackers to store illegal or criminal material on your computer. While this doesn't sound very serious, it really is: the need for a good security has recently been been emphasised by a court verdict on someone who had a few pictures of nude children on its computer which he hadn't downloaded on perpose. This means you can be convicted on posession of illegal/criminal material even if you're not aware of having this material on your computer.

    The method of Portknocking provides a radical new way of securing your network. It can be accomplished by using the iptables in an ingenious way in such a way that your network seems to be completely stealthed to the outside world without cripling your services to the WAN.

    If you've become intersted in Portknocking you can read all about it here: www.portknocking.org

  2. #2
    Quote Originally Posted by Styno
    I just read an interesting article in the Dutch C'T magazine about Portknocking
    Problem is: you open up the risk of introducing a bug in your portknock daemon.
    It's really not that different from any other daemon, except it uses an unusual
    protocol.

  3. #3
    Join Date
    Apr 2004
    Location
    Netherlands
    Posts
    1,307
    Hmm, have you read the article and/or website?

    This method lets you stealth all ports, so it will appear to hackers there is no router/computer at the IP address present.

    The hacker will have to knock to a specific port (somewhere in the 64k ! range) and check if the port of any other service opened after the knock. To brute force knocking every port (all 64k of them) and then check every possible service port (at least the lower 1024) will be allmost impossible due to the time it takes and the bandwidth needed.

    The daemon checks syslog for incoming traffic and if the hacker does not knock to the right port the daemon will do nothing. The hacker does not communicate with the daemon directly, so there is no immediate security risk here.

    The opposite is true: for all but the most experienced hackers it seems your computer is offline. What better security can you wish?! Even very experienced security specialists are enthousiastic about this method.

  4. #4
    I'm sick and tired of scans and attack attempts on my ssh/ftp by people who have no lives. So I am going to use port-knocking for sure, as I'm the only person using my ssh/ftp

    For people who don't know the details abour portknocking:

    www.portknocking.org

    Also an interesting article:

    http://www.hexi-dump.org/bytes.html

  5. #5
    Quote Originally Posted by Styno
    Hmm, have you read the article and/or website?
    Of course.

    You are right that currently, portknocking is sufficiently unused that no script kiddie is going to bother trying to hack through it.

    But other than that, it doesn't in and of itself provide any particular security. The problem is still the same: some potentially malicious packets arrive at your host and trigger some code to be executed, and you have to make sure that this code is safe for all possible malicious sets of packets.

    Those packets can be part of a normal TCP connection to the SSH port triggering kernel TCP code and user-level SSH daemon code.

    Or they can be part of the ICMP level protocol and again trigger kernel code (and rarely user-level code).

    Or they can be part of a portknocking protocol, triggering kernel-level code, as well as user-level code (e.g. some kind of syslogger plus the portknock daemon).

    So you're really exchanging the portknocking code for the SSH auth code. It's probably a bit safer because it's much less code, but not because "your computer seems not to exist".

  6. #6
    Quote Originally Posted by Exirion
    I'm sick and tired of scans and attack attempts on my ssh/ftp by people who have no lives.
    Get and life, and stop watching the log of unsuccessful connection attempts.
    After all, in all likelihood a successful break in would not appear there anyway.

  7. #7
    Join Date
    Apr 2004
    Location
    Netherlands
    Posts
    1,307
    Quote Originally Posted by monnier
    Of course.

    You are right that currently, portknocking is sufficiently unused that no script kiddie is going to bother trying to hack through it.

    But other than that, it doesn't in and of itself provide any particular security. The problem is still the same: some potentially malicious packets arrive at your host and trigger some code to be executed, and you have to make sure that this code is safe for all possible malicious sets of packets.

    Those packets can be part of a normal TCP connection to the SSH port triggering kernel TCP code and user-level SSH daemon code.

    Or they can be part of the ICMP level protocol and again trigger kernel code (and rarely user-level code).

    Or they can be part of a portknocking protocol, triggering kernel-level code, as well as user-level code (e.g. some kind of syslogger plus the portknock daemon).

    So you're really exchanging the portknocking code for the SSH auth code. It's probably a bit safer because it's much less code, but not because "your computer seems not to exist".
    NOFI, but I really don't think you've got the idea of how portknocking works .

    Consider a server with all ports stealthed, with a portknocking daemon running and an administrator trying to connect to the server through the internet. He will have to portknock before he can make a connection.

    The firewall on a server with the portknocking daemon will drop every incoming packet by default and adds a line to syslog when it does. The portknock daemon checks syslog for special sequences of dropped packages and acts accordingly. This dropping of packages isn't going to breach your server, parsing the syslog isn't either, or else the firewall code is unusable anyway. The SSH daemon isn't exposed to the internet (its probably not even running) while the right portknock hasn't been given so there's no problem at that end too. When a valid portknock sequence has been detected the daemon will start the SSH daemon and add rules to the firewall to open a certain port. After the connection to the SSH daemon has closed, the portknock daemon will remove the firewall rules which effectively 'stealthenizes' the server again.

    A typical portknocking sequence would look something like this:
    Knock ports 64621, 2123, 4576, 22981 within 3 seconds then port 57219 will open for 5 seconds for you to create a SSH connection with the server. If you fail the first time-out no port will be openend, if you fail the second the open port is stealthed after 5 seconds. In all other circumstances ALL ports are stealthed, so noone knows for sure there is even a server at the given IP address.

    These sequences are sooooo safe, noone will ever be able to crack them, because of the time limits and the high number of ports (64k) and the limited bandwith. This example with 4 knocks gives you 64000^4 options which is a lot . While the example above is very safe allready you can make it even safer by using a sort of randomizer to the sequence, so even if your connection is intercepted, the attacker can't use an old portknock sequence because its not valid anymore.

    Now, you are going to tell me how this is going to be cracked...

    Let me state once more: this portknocking is mostly intended for use on important servers connected to the internet and is perhaps too complex for simple home users, but this doesn't mean a home user can't use it.
    Last edited by Styno; 28-09-2004 at 15:18.

  8. #8
    Quote Originally Posted by monnier
    Get and life, and stop watching the log of unsuccessful connection attempts.
    After all, in all likelihood a successful break in would not appear there anyway.
    I have a life, thanks for your concern though.

    But if it was as simple as you say, there would be no hacked computers in this world. Try to take a few minutes and read about the mechanism of port-knocking. Apparantly you don't get it.

Similar Threads

  1. security alert function
    By fweijers in forum WL-500g Q&A
    Replies: 0
    Last Post: 11-08-2005, 11:53
  2. Audio security
    By Graldensblud in forum WL-500g Q&A
    Replies: 7
    Last Post: 03-06-2005, 09:03
  3. wireless security
    By smallkeung in forum WL-500g Q&A
    Replies: 2
    Last Post: 01-02-2005, 23:47

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •