User: Password:
Subscribe / Log in / New account

Nitpicking (Preventing brute force ssh attacks)

Nitpicking (Preventing brute force ssh attacks)

Posted Oct 25, 2007 19:12 UTC (Thu) by Fats (subscriber, #14882)
Parent article: Preventing brute force ssh attacks

The port nocking method is not security through obscurity. All authentication mechanisms are
based on some private information: a public key, a password, ... You can think of the port
nocking sequence as part of this private information.

(Log in to post comments)

Nitpicking (Preventing brute force ssh attacks)

Posted Oct 25, 2007 21:43 UTC (Thu) by njs (guest, #40338) [Link]

You're right in your facts, but I think not-quite-right in spirit.

Port-knocking adds some entropy to your effective password, yes.  But if all you wanted was
some extra entropy, you'd be much better off just choosing a slightly longer password or key
-- just as secure, and substantially more convenient.

But people use port knocking despite this.  AFAICT, there are two reasons: (1) its
rube-goldbergian complexity and attendent ritual appeal to a certain sort, who feel it *must*
therefore be secure.  This is exactly the impulse that security people are (rightfully) trying
to squash when they sneer about security through obscurity.  (2) it's relative scarcity does
provide some security benefit -- since only weirdos use port-knocking, the script kiddies
don't bother trying to brute-force it, and casual attackers will in fact be repelled.  This
also makes it easier to distinguish casual and determined attackers -- e.g. only one leaves
lines in the ssh logs -- and so on.  If it ever becomes popular, of course, the script kiddies
will catch on and this effect will disappear.

So port knocking provides no magic bullet against determined attackers (but people who
encounter it often fall for (1) and think it does, and the more it gets advocated the more
this nonsense gets carried along), not much benefit in the long run (which makes it curious
that people advocate it at all; if you are using port knocking for the "right" reasons, you
should discourage everyone else from using it, which may make some suspicious whether people
*are* using it the right reasons), and engineering-wise it is just so *silly* that it leaves a
bad taste in the mouth -- no-one wants this to become the usual way of designing security

Nitpicking (Preventing brute force ssh attacks)

Posted Oct 28, 2007 17:36 UTC (Sun) by oak (guest, #2786) [Link]

Assuming the attacker cannot sniff which ports you're using (i.e. they 
have to attack blindly), using a sequence of ports could be considered 
also a password of a kind, with an *64K* alphabet.

Nitpicking (Preventing brute force ssh attacks)

Posted Oct 28, 2007 20:58 UTC (Sun) by njs (guest, #40338) [Link]

Yes.  I'm not sure what your point is, though -- I already agreed that adding port knocking is
like making your password longer, and there's nothing magical about a 64K alphabet.  It just
means that a single knock gives you about 16 bits of entropy, as compared to 6 bits from a
random ascii character, so 1 knock gives a bit less than 3 (good) password characters.  Or...
you can just use a 4096-bit key and be done with it.

Nitpicking (Preventing brute force ssh attacks)

Posted Oct 28, 2007 21:02 UTC (Sun) by njs (guest, #40338) [Link]

Oh, right, and should have also pointed out -- passwords/keys remain safe even if the attacker
is allowed to sniff all they want, no extra work is required to be secure in that case.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds