[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Port Knocking.



Daniel Hartmeier wrote:

On Fri, Feb 06, 2004 at 06:38:54PM -0300, Alejandro G. Belluscio wrote:



I guess all of you have read about it. But on /. there were a couple of
articles on port knocking which are very interesting. With just ten
knocks, and only using 16384 ports as range you get a 140 bit
combination. If combined to some S/Key or similar scheme, then it would
be _very_ difficult to guess.



If you have to resort to security by obscurity, why not just use TCP_MD5SIG (RFC2385)? Want to hide an sshd from port scanner? Just ignore all TCP packets not properly signed. No need for silly knocking if you can add a signature to each packet. Run ipsecadm tcpmd5 once and all your connections are accepted, no need to run some weird sequence every time you want to connect, or deal with packet order, retransmission, timeouts.

Oh, you think this is little-known, underdocumented and obscure? Perfect
for the purpose, then, no? :)

Daniel


I think I didn't made myself clear (as usual :-). I wasn't thinking about hiding the ports. But rather as a way to provide certain identity protection without having to rewrite apps. I don't really mind if my sshd gets scanned. But what if I translated some S/Key to port sequence? This would work as a level of identification. A system that I could use from public terminals. And one that only would need one subsystem (somewhere on the packet filtering system) to be written and suddenly all apps would gain this feature. But I guess that it offers nothing that ssh+S/Key+authpf doesn't offers. Besides hiding the sshd port. Which I already know it's not really useful.

Alejandro