On Saturday 02 February 2008 08:42:25 pm Grant wrote: > > > port-knocking is the biggest load of fud (Microsoft products apart) I > > > have heard about in ages. The term snake-oil comes to mind, as > > > does "security by obscurity and obfuscation" which we all know is no > > > security at all. > > > > Uhm. Security by obscurity is not good because it hides something *that > > is known for sure to be there*. Port knocking, on the other hand, makes > > a computer appear as if nothing is there. No open ports. > > A computer with all ports closed which uses portknocking and a computer > > with just all ports closed cannot be told apart from remote, either by > > portscanning or whatever mean. What the attacker sees is just "no open > > ports". It could, of course, imagine that port knocking might be in use, > > but even in that case, he would have to discover the knock sequence. > > With a knock sequence long enough (say, 8 ports), the likeliness of such > > a discovery is really low (1/65535^8 in this case). And, even if he > > succeeds, he just opens a port (as if there was no portknocking), and > > still has to violate whatever security measure is in place for the > > service (eg, ssh authentication). > > > > > I don't care if the originating process knocks on the well known port > > > with gold plated gloves hand braided from the finest Unobtainium by > > > seductive alluring Puerto Rican virgins, the receiving machine still > > > has to open another port short thereafter. This is not a magic port > > > and is not wrapped in Star Trek's finest stealth cloak, it's a port > > > that does TCP/IP stuff. > > > > > > If the end process listening on the newly opened port is in any way > > > weak - and this is the only possible reason anyone would ever try the > > > port knocking workaround - it's just as weak when it's listening on an > > > obfuscated port number. > > > > This is not true, for at least two reasons: > > > > - the port stays open only for the duration of the connection, not all > > the time; > > > > - at least with some implementations, the port is opened *only to the IP > > address of the user who did the knock*, not to the whole world. > > > > > If it's open, I can find it. If it's weak, I can get in. Then it's game > > > over, go home, I win. > > > > See above. > > > > > I've yet to hear positive things about port knocking from someone who > > > actually implemented it fully. In truth it's just a major pain in the > > > arse that makes the admin's life miserable and gives the boss a warm > > > fuzzy feeling based on hot air. > > > > I don't know about large setups, where it might be very possible that > > port knocking becomes a major PITA as you say. But I have setup and used > > port knocking for remote ssh access lots of time in the past, and never > > had a problem. This is just my little experience, of course. > > OK, port knocking is going back on the todo list. > > - Grant
Wow... that was easy... :') -- From the Desk of: Jerome D. McBride -- gentoo-user@lists.gentoo.org mailing list
