On 22/10/06, Steffen Wendzel <[EMAIL PROTECTED]> wrote:
On Sun, 22 Oct 2006 14:42:18 +0200 "Inigo T. A." <[EMAIL PROTECTED]>
wrote:
: El dom, 22-10-2006 a las 12:40 +0200, Steffen Wendzel escribis:
: > On Sat, 21 Oct 2006 20:57:39 -0400 "Nick Guenther" <[EMAIL PROTECTED]>
wrote:
:
: > :
: > : So this is like an insecure version of SSH?
: >
: > it has nothing todo with SSH. And of course it isn't very secure
: > BUT it adds security where normaly no security is, thats the point.
: >
: > You normaly have different open ports, but with this tool you can
: > open/close them on demand. This is at least a little bit more secure
: > than to have them open all the time.
:
: ?why?
:
: If you have a security problem with a service, the only "more secure"
: action is to fix it, don't to open it eventually.
:
this isn't correct. Every service had some security problems in the
past. Imagin that your service X is vulnerable (only since a few h
by a zero day exploit or so) and someone tries to exploit it at 2:00 in
the morning.
but if you run some port knocking service (and your attacker does not
know the port combination/secrect key or even does not know about a
running port knocking system, he can not attack your service.
if you only need the service for administration, you could do such a
"hiding" of the service. you only would need to open the port by the
portknocking service a few min while you use it to do some administration.
Just in case not everyone here may be totally familiar with port
knocking, I'd like to weigh in, by way of explanation.
Or rather, I'd like to quote Captain Crunch, who gave a very eloquent
explanation of what this "knock-knock principle" is:
(from http://www.the-fifth-hope.org/mp3/draper-spam.mp3 ,
cf. http://www.the-fifth-hope.org/hoop/5hope_speakers.khtml )
``I believe there's approximately five hundred thousand to seven
hundred-fifty thousand infected hosts out there on the Internet.
Well, these infected hosts of course are being controlled by a small group
of people (...)
A lot of them are sophisticated spammers, and hackers who use these
infected hosts use a rather interesting way of hiding the fact that the
machine is infected. And this is done through what they call the
knock-knock principle. The way this works is, normally the listener is
turned off. So when you do a port scan, they don't show up. It's totally
invisible. However, if you send it a series of specially crafted pings
with special port numbers and a certain sequence, well, guess what: you
open up a port, the listener activates and you now can control that proxy.
That then becomes a master controller proxy, it then controls all the
rest. So it's almost virtually impossible to catch this level of spamming
and hacking, and these are how all of the dDoS attacks have happened as
well.''
I'd like to emphasize that I am a stong believer in the neutrality of
information and technology. I am NOT trying to accuse anyone of
anything here. Just because a majority of sophisticated spammers and
botnet controllers may use the knock-knock principle (=port knocking)
and *you* may be using the same tool or principle, that doesn't mean
you are a black hat. Whether you are ethical or not obviously depends
on what you're up to with your use of openportd.
I could see the use of openportd as an ADDITIONAL layer of security,
though I would caution that *part* of that extra security is "security
through obscurity" (which prolly most of us frown upon). To explain:
If you port-scan a default OpenBSD firewall, it's likely to show, say,
at least SMTP and SSH ports. (If you're incredibly lame and lazy, and
if this is your pf/NAT firewall through which you're surfin the Net,
you could even use this site to have it port scan yourself:
https://www.grc.com/x/ne.dll?bh0bkyd2 -- click Proceed -- All Service
Ports. That is, IFF you can see past the hyperbole, and don't mind
prompting an outside party to get ahold of your port scanning
profile.) Anyway.
So your machine. while well protected by all the safeguards built into
OpenBSD, is not totally invisible. An attacker can see that there's an
SSH daemon listening -- and if you've got password authentication on,
an attacker could start brute forcing your password.
Now let's assume you're running openportd. You probably still can't
close down the SMTP ports (25 UDP+TCP) if you want to directly receive
email, but in case you don't need to have an SMTPD listening, you
could probably close all ports entirely.
Now in order to access your box from the outside, you would need to be
able to run some kind of openport-client (or any other software that
you can use to send your specially crafted pings) on whatever
*outside* box you're trying to access your firewall *from*. So you
send your specially crafted pings (which serve as a weak
authentication mechanism and which CAN be sniffed and CAN be used in
replay attacks), and in response to you sending your specially crafted
pings, your firewall, for a limited time window, opens up the SSH
ports (22 UDP+TCP).
Now you can proceed to log on via SSH, **with full SSH security**.
Yes, a determined attacker might sniff your traffic and your use of
openportd might not be much of a hurdle to them.
No, you should never use openportd as your single authentication
mechanism (and killing services on your box purely based on the pings
openportd receives would be suicidally insecure).
But if the attacker doesn't know where you are, they might be
dramatically less likely to find you, if you're using openportd
**AND** SSH, because they would have to be listening somewhere along
the path your packets are taking to your box **at the same time** that
you're using the knock-knock protocol to open up your SSH port -- only
to then find themselves with the not in any way diminished challenge
of brute forcing your SSH password.
And that's my two Eurocents.
"Use the knowledge for good; that's what I would ask."
Cheers,
--ropers
PS:
All that said, if you were asking me whether or not openportd should
be included with OpenBSD (as I think was asked about earlier on), I
wouldn't comment on that. I don't have any say in such decisions and I
don't *want* any say in such decisions because I'm not qualified
enough to even give a properly informed opinion in such a decision.
Please don't interpret my above statements one way or another, and
please don't say anything like, "ropers was for this/against this as
well", because I'm not.
