LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Single Packet Authorization (Linux Journal)

Single Packet Authorization (Linux Journal)

Posted Mar 7, 2007 16:31 UTC (Wed) by bronson (subscriber, #4806)
In reply to: Single Packet Authorization (Linux Journal) by tialaramex
Parent article: Single Packet Authorization (Linux Journal)

A few thoughts...

If you're saying that hiding a machine deep in IPv6 space is poor security, just like port knocking is poor security, then we are in agreement. :)

I use the same knock sequence on every server. Port knocking is bad security, why pretend otherwise? But, here's the thing: even a simple, static 3-port sequence significantly raises the bar to touching the good security. With port knocking, when I see multiple failed login attempts in my logs, I know that something is wrong and I'll bring the heavy immediately.

Port knocking is not about adding more security. It's about eliminating the noise that would otherwise hide a determined attacker.

As I said before, I do have pubkey login on every ssh machine I maintain. We pubkey users seem to be a tiny minority, unfortunately. I was just explaining why I think that many admins either don't do it or, if they try, do it badly. It's takes forethought to securely scale up to many admins on many machines. It isn't plug-and-chug.

Because port knocking can be done entirely with iptables rules, it doesn't need to add appreciably to your threat surface. It just adds the 'recent' module, which seems to be a well written module. SPA, with its dedicated listening daemon, adds significantly to your threat surface. A quick google search finds this article, which appears to be good but isn't the one I followed: http://www.soloport.com/iptables.html .

Here's a much more thorough treatement that I just found: http://web.mac.com/s.j/iWeb/Security/Port%20Knocking%20an... I haven't read the whole thing yet but, reading the conclusion, I think Sebastien Jeanquier is spot on.

Does that make my position a little more clear?

(Log in to post comments)

Single Packet Authorization (Linux Journal)

Posted Mar 7, 2007 18:28 UTC (Wed) by tialaramex (subscriber, #21167) [Link]

Yes, your position is more clear, I think we're pretty much on the same wavelength about what the problems are and the extent to which different techniques are appropriate, it's just that I don't agree with your choice of solution (although I agree it's working for you). I prefer elegant solutions, and I see sparse addresses as elegant while secret handshakes are not. I haven't any data as to which is more effective in practice.

Adding "more" iptables rules would constitute a non-negligible increase in attack surface for me because I don't currently use, or intend to use, iptables. Of course you could argue that using IPv6 at all, even during the lengthy (perhaps a decade or more still) transition period also increases the attack surface, but if you view IPv6 as inevitable then finding any security problems in it now seems like a good up-front investment.

My original purpose in mentioning this was to justify why I think scanning is mostly a transitory problem not worthy of creating specialised protocols and tools like the one in the article.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds