[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Port Knocking.
Daniel Hartmeier wrote:
On Fri, Feb 06, 2004 at 06:38:54PM -0300, Alejandro G. Belluscio wrote:I think I didn't made myself clear (as usual :-). I wasn't thinking
about hiding the ports. But rather as a way to provide certain identity
protection without having to rewrite apps. I don't really mind if my
sshd gets scanned. But what if I translated some S/Key to port sequence?
This would work as a level of identification. A system that I could use
from public terminals. And one that only would need one subsystem
(somewhere on the packet filtering system) to be written and suddenly
all apps would gain this feature. But I guess that it offers nothing
that ssh+S/Key+authpf doesn't offers. Besides hiding the sshd port.
Which I already know it's not really useful.
I guess all of you have read about it. But on /. there were a couple of
articles on port knocking which are very interesting. With just ten
knocks, and only using 16384 ports as range you get a 140 bit
combination. If combined to some S/Key or similar scheme, then it would
be _very_ difficult to guess.
If you have to resort to security by obscurity, why not just use
TCP_MD5SIG (RFC2385)? Want to hide an sshd from port scanner? Just
ignore all TCP packets not properly signed. No need for silly knocking
if you can add a signature to each packet. Run ipsecadm tcpmd5 once and
all your connections are accepted, no need to run some weird sequence
every time you want to connect, or deal with packet order,
Oh, you think this is little-known, underdocumented and obscure? Perfect
for the purpose, then, no? :)