On Saturday 2 February 2008, Alan McKinnon wrote: > port-knocking is the biggest load of fud (Microsoft products apart) I > have heard about in ages. The term snake-oil comes to mind, as > does "security by obscurity and obfuscation" which we all know is no > security at all.
Uhm. Security by obscurity is not good because it hides something *that is known for sure to be there*. Port knocking, on the other hand, makes a computer appear as if nothing is there. No open ports. A computer with all ports closed which uses portknocking and a computer with just all ports closed cannot be told apart from remote, either by portscanning or whatever mean. What the attacker sees is just "no open ports". It could, of course, imagine that port knocking might be in use, but even in that case, he would have to discover the knock sequence. With a knock sequence long enough (say, 8 ports), the likeliness of such a discovery is really low (1/65535^8 in this case). And, even if he succeeds, he just opens a port (as if there was no portknocking), and still has to violate whatever security measure is in place for the service (eg, ssh authentication). > I don't care if the originating process knocks on the well known port > with gold plated gloves hand braided from the finest Unobtainium by > seductive alluring Puerto Rican virgins, the receiving machine still > has to open another port short thereafter. This is not a magic port > and is not wrapped in Star Trek's finest stealth cloak, it's a port > that does TCP/IP stuff. > > If the end process listening on the newly opened port is in any way > weak - and this is the only possible reason anyone would ever try the > port knocking workaround - it's just as weak when it's listening on an > obfuscated port number. This is not true, for at least two reasons: - the port stays open only for the duration of the connection, not all the time; - at least with some implementations, the port is opened *only to the IP address of the user who did the knock*, not to the whole world. > If it's open, I can find it. If it's weak, I can get in. Then it's game > over, go home, I win. See above. > I've yet to hear positive things about port knocking from someone who > actually implemented it fully. In truth it's just a major pain in the > arse that makes the admin's life miserable and gives the boss a warm > fuzzy feeling based on hot air. I don't know about large setups, where it might be very possible that port knocking becomes a major PITA as you say. But I have setup and used port knocking for remote ssh access lots of time in the past, and never had a problem. This is just my little experience, of course. -- gentoo-user@lists.gentoo.org mailing list
