LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

agree

agree

Posted Mar 6, 2007 1:03 UTC (Tue) by ArbitraryConstant (guest, #42725)
Parent article: Single Packet Authorization (Linux Journal)

I share the skepticism of others here.

Port knocking isn't a security solution, it's for when your ISP will get angry with you if you have servers listening for connections. It's still trivial for traffic analysis to figure out what you're up to, so I'm not convinced of the value even then; if port knocking will fool them, so will listening on 1024+.

When it's a matter of security and a proper VPN isn't an option for whatever reason, I use AuthPF, and I'm sure something similar is available through Linux. It uses SSH for authentication and keepalives.

The post argues that even SSH is sometimes vulnerable, but as others have mentioned, everything is sometimes vulnerable. A port knocking implementation won't be any less so. At least with SSH, patches are needed only infrequently, and they're usually available quickly when needed.

The problem with this is that it is the most secure port knocking implementation you're ever likely to get, but the connections you make past the firewall are still subject to the risks associated with going over the Internet in the clear, and if you're NATing or someone can spoof your IP, you're still vulnerable. There's only one solution that's actually resistant to a determined attack, and that's cryptographically secure authentication and communication. SSH tunnels and VPNs are the answer for this, not port knocking. I simply don't see the benefit. Whatever permutation you're looking at, there's either an easier way or a more secure way, depending on your priorities.

(Log in to post comments)

agree

Posted Mar 6, 2007 8:41 UTC (Tue) by niner (subscriber, #26151) [Link]

Port knocking has just one advantage over plain ssh: it keeps your logs free of thousands of failed login attempts due to brute force ssh guessing by automated scripts.
It's not security, just a little more convenience.

It's the same as with simple text-based CAPTCHAs like addition of two numbers. They are very easily broken and scripted even by the youngest script kiddie. But this assumes, that there is a human individual interested in your site. And in most cases there just isn't.

agree

Posted Mar 6, 2007 14:30 UTC (Tue) by drag (subscriber, #31333) [Link]

If you want to avoid script kiddies then stick have your ssh session run on port 23 instead of port 22 (or whatever port you want). At least that way you avoid the massive amount of traffic that automated scanners generate.

That's pretty much all you have to do to have fairly clean and relevent logs.

agree

Posted Mar 6, 2007 15:27 UTC (Tue) by bronson (subscriber, #4806) [Link]

nmap will find sshd on port 23 without even breaking a sweat. It will also eventually discover it on port 31337, even if you aggressively block portscanning. But it will never find your knock sequence.

I agree that moving sshd's listening port currently deters many script kiddies. But it's like greylisting: it's utterly trivial to get around. Once a lot of people put sshd on different ports, the kiddies will just learn how to use nmap.

agree

Posted Mar 6, 2007 18:17 UTC (Tue) by ofeeley (guest, #36105) [Link]

And capturing a list of hostile machine's IP addresses and adding them to /etc/hosts.deny is nice. As long as you're using ssh keys the script kiddie attacks are just providing a handy list of IP's to treat as hostile with very little actual risk.

Not sure I agree

Posted Mar 6, 2007 23:09 UTC (Tue) by bronson (subscriber, #4806) [Link]

There's a fine line between banning hostile IPs and DOSing yourself. :)

A lot (most?) of the traffic will be arriving on dynamic or shared IP addresses. Just because one packet was hostile, that doesn't mean that all traffic from that address will be hostile. Imagine visiting your parents and not being able to log to your production server just because some script kiddie managed to get most of AOL's proxy IPs on your block list.

Also, I'm not sure that keeping a list of IPs actually buys you much. Most of the script kiddies responsible for this noise won't bother trying any other attack against you. And a determined attacker would never try something as noisy as a dictionary attack. Presumably he would already know that you're using pubkey authentication and a dictionary attack would be futile anyway.

So... Keeping a list of mostly harmless script kiddie IPs doesn't strike me as a very worthwhile endeavor...?

agree

Posted Mar 6, 2007 19:31 UTC (Tue) by ArbitraryConstant (guest, #42725) [Link]

meh

Just rate-limit SSH connections. You can even simply block IPs that have more than a certain number of failed login attempts in a given period of time.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds