×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

"Port Knocking" For Added Security

CmdrTaco posted more than 10 years ago | from the thats-a-crazy-idea dept.

Security 950

Jeff writes "The process of Port Knocking is a way to allow only people who know the "secret knock" access to a certain port on a system. For example, if I wanted to connect via SSH to a server, I could build a backdoor on the server that does not directly listen on port 22 (or any port for that matter) until it detects connection attempts to closed ports 1026,1027,1029,1034,1026,1044 and 1035 in that sequence within 5 seconds, then listens on port 22 for a connection within 10 seconds. The web site explains it in some detail, and there is even an experimental perl implementation of it that is available for download. I can't think of any easy ways you could get around a system using this security method - let alone even know that a system is implementing it. Another article on port knocking is here."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

950 comments

Oh, really. (1, Insightful)

Anonymous Coward | more than 10 years ago | (#8192323)

I predict a flood of commenters whining about this being "security through obscurity."

Re:Oh, really. (0)

Anonymous Coward | more than 10 years ago | (#8192405)

To me, this looks like security through obscurity.

Re:Oh, really. (0)

Anonymous Coward | more than 10 years ago | (#8192422)

:-)

Cat got my tongue.

Re:Oh, really. (0)

Anonymous Coward | more than 10 years ago | (#8192496)

Your tongue is cat gut.

Re:Oh, really. (2, Interesting)

Anonymous Coward | more than 10 years ago | (#8192435)

I predict a flood of commenters whining about this being "security through obscurity."

Yeah, just like passwords are "security through obscurity."

This is essentially another level of passwords, but sounds useful for hiding those services that could have vulnerabilities *cough* OpenSSH *cough*.

Will this technique itself have possible vulnerabilities?

Port knocking IS Patriotic: +1, Hilarious (1, Funny)

Anonymous Coward | more than 10 years ago | (#8192498)

Before you Slashdot about "port knocking", please
send your text through a spellchecker.

"implimenting" should read "implementing".

Remember, the "President" [whitehouse.org]
was AWOL [calpundit.com]

Regards,
Kilgore

CmdrTaco talks about "port knocking" all the time. (-1)

Can it run Linux (664464) | more than 10 years ago | (#8192324)

Well, that's what he calls it, anyway.

To most of us, it's "anonymous gay bathroom sex."

Re:CmdrTaco talks about "port knocking" all the ti (0)

Anonymous Coward | more than 10 years ago | (#8192447)

You are a defamatory bastard! Taco has never been in a bathroom!

Well, there go the logfiles (3, Insightful)

djh101010 (656795) | more than 10 years ago | (#8192325)

Something tells me I'm going to be seeing a lot bigger firewall logs in the future, as this catches on.

Re:Well, there go the logfiles (0)

Ozone Depletion (738650) | more than 10 years ago | (#8192354)

*sigh* Yup, time to devote more of my Hd to logs. but I guess if it promotes better security it's a good thing.

Re:Well, there go the logfiles (2, Insightful)

trompete (651953) | more than 10 years ago | (#8192417)

Good luck doing this through NAT. You'd have to configure your machines to act like a NAT device as far as refusing connections or else you could be port scanned to figure out which ports to knock on.

Re:Well, there go the logfiles (0)

Anonymous Coward | more than 10 years ago | (#8192465)

excellent point. this guy hasnt thought things through.

Re:Well, there go the logfiles (2, Interesting)

mabu (178417) | more than 10 years ago | (#8192509)

This isn't going to catch on. It's not more secure and it wastes more resources.

Why would this be any more secure than listening on a single port for the "unique knock sequence?" Any good admin knows the most secure system is one that is listening on as few ports as possible.

Uh, (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8192332)

where are all the white women at?

Ninnle Linux has this (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8192333)

The Ninnle Linux distro has had this feature for ages - really useful on servers and other scenarios where maximum security is paramount.

i like... (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8192334)

fart knocking

time to eat the snatch

Frosty Piss!!!?? (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8192336)

Frosty Piss!!!??

not bad (5, Insightful)

maelstrom (638) | more than 10 years ago | (#8192339)

But it does seem like a layer of obscurity to what should otherwise be a secure port. What if someone is sniffing your network? Unlike an encrypted password, they could easily replay this sequence and gain access to your "hidden" port.

Re:not bad (5, Interesting)

Kenja (541830) | more than 10 years ago | (#8192374)

"But it does seem like a layer of obscurity to what should otherwise be a secure port. What if someone is sniffing your network? Unlike an encrypted password, they could easily replay this sequence and gain access to your "hidden" port."

And? It is still more secure. By using "port knocking" they HAVE to sniff out your network traffic and find the port combo. Without "port knocking" they just need to run nmap and see what ports they can try to attack.

Re:not bad (0)

Anonymous Coward | more than 10 years ago | (#8192431)

And? It is still more secure. By using "port knocking" they HAVE to sniff out your network traffic and find the port combo. Without "port knocking" they just need to run nmap and see what ports they can try to attack.

false sense of security, why make yourself do more work for a negligible gain in security. this is no more beneficial than adding 5 characters to your login password, then logging in via telnet.

Re:not bad (1)

7ex (655070) | more than 10 years ago | (#8192424)

There is no Problem with replaying these sequences. Since they are only hiding which services are really listening on a IP-Adress nothing relyes upon this 'protection'.

Re:not bad (5, Interesting)

LostCluster (625375) | more than 10 years ago | (#8192446)

Think of it this way... it's an extra password combined with bonus security-by-obscurity of not having a visible password prompt.

The "knocking ports" could also be configured that if there are random hits to the standard port without the proper knock, the system could lock down for 30 seconds and even ignore the proper knock so that if somebody's trying to brute force all the possible knocks, they'll never get feedback when they have the right one.

Yeah, this is no substitute for properly securing the original service, but it's an extra layer that means there's even more that needs to be captured for a successful hack...

Not good (5, Insightful)

glpierce (731733) | more than 10 years ago | (#8192470)

"The "knocking ports" could also be configured that if there are random hits to the standard port without the proper knock, the system could lock down for 30 seconds and even ignore the proper knock so that if somebody's trying to brute force all the possible knocks, they'll never get feedback when they have the right one."

That would just create a new variant to DOS attacks. Instead of taking you offline, they just persistantly knock on random ports, thereby disabling your ability to communicate with trusted sources.

Re:not bad (0)

Anonymous Coward | more than 10 years ago | (#8192448)

Sure, maybe it is. I use this, except I use a one time pad of port numbers and strike them off as I use them. I implemented this when all the ssh vunerabilities were going around. This buys me time to patch them.

Old Idea, Different Use (5, Informative)

jsonic (458317) | more than 10 years ago | (#8192469)

The shady side of hackerdom has been using this very technique to hide their backdoors from port scanning admins. Or, uh, so I've heard...

Re:not bad (1)

sinucus (85222) | more than 10 years ago | (#8192481)

What kind of crack are you people smoking. This isn't a bad idea, I don't know if *I* would use it but it's still a great idea. You don't just eliminate your passwords on port 22 because you have this installed, it's an extra layer of security on top of more security. You think that because you have 1 lock that 2 locks won't do anything?

Re:not bad (1)

jonathan_95060 (69789) | more than 10 years ago | (#8192483)

regarding "sniffing" -- you are missing the point!

What port knocking does is raise the cost of automated scanning of random internet machines.

the script kiddies who run the year 2004 equivalent of SATAN against a "phonebook" of ip addresses (or random ip addresses) will have a much tougher time.

Re:not bad (2, Informative)

RealityMogul (663835) | more than 10 years ago | (#8192485)

Of course you could also have a new combination generated every minute for the super paranoid.

But I don't think the intent is to prevent people sofisticated enough to actually sniff packets from being able to enter the network, but simply stop script kiddies and worms that are rather mindless in their attacks. I am not aware of any worms that would be able to sniff packets and actually interpret what is happening.

Re:not bad (0)

webtre (717698) | more than 10 years ago | (#8192486)

If you noticed and RTFA'd, current implementations don't have the port numbers in any sensical order, which makes sense if you're making it hard to just simply port scan a machine. Therefore, just running nmap (or something similar) is now going to bw *MUCH* more difficult.

Re:not bad (5, Interesting)

26199 (577806) | more than 10 years ago | (#8192488)

Hmm, lots of people have pointed this out, but it's easy to set up a system of one-time passwords... provided it's done in a cryptographically secure way, there's little point in sniffing for combinations.

Of course, you can still sniff to see what ports are actually in use...

LAST POST IN THIS THREAD GETS 10 DOLLARS (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8192341)

READY

GO!

Re:LAST POST IN THIS THREAD GETS 10 DOLLARS (-1, Troll)

los furtive (232491) | more than 10 years ago | (#8192412)

You win!

err...I win!

Re:LAST POST IN THIS THREAD GETS 10 DOLLARS (0)

Anonymous Coward | more than 10 years ago | (#8192455)

No I DO

Re:LAST POST IN THIS THREAD GETS 10 DOLLARS (0)

Anonymous Coward | more than 10 years ago | (#8192493)

Nuh uh! I am the winner of the ten bucks. It's okay, I'll buy you a beer.

Invasive Security (2, Interesting)

Anonymous Coward | more than 10 years ago | (#8192342)

This is secure in the same way 50-character passphrases are secure, sure they are harder to crack but who the hell is goig to remember them. The harder you make something to use, users will start trying to find ways around it.

whats more, connection attempts are easy to sniff, you might as well be using telnet...THIS THING IS BEGGING FOR A "REPLAY ATTACK".

Re: Replays (1, Insightful)

Anonymous Coward | more than 10 years ago | (#8192440)

There's no reason you couldn't change the knock sequence after each knock in a cryptographically hard-to-guess way (like the SSH one-time passcode mode) or use a hash of the time of day (to the nearest minute) plus some known pass code, exactly like SecureID cards.

Preventing replay attacks is not difficult, and the port-knocking technique generally is a pretty cool hack.

Re:Invasive Security (1)

Catskul (323619) | more than 10 years ago | (#8192442)

But with a password for example, you know where the servics is listening and therefore can attempt to exploit problems with the service that can be exploited without a password. This is like putting the password before the protocol is even accessed.

All services should be this way. Passwords entered after the service has been accessed in some way always gives a chance for exploitation. This only gives the oportunity to attempt to expoit the OS's basic network funcationality.

Re:Invasive Security (3, Informative)

Catskul (323619) | more than 10 years ago | (#8192489)

Also, its not used for the only password. It is added security. Only people who can intercept packets for the host can replay the sequence. This prevents whole sale port scanning being productive.

Belch (0)

Anonymous Coward | more than 10 years ago | (#8192345)

Ahhhhh!!

Knock knock (0)

Anonymous Coward | more than 10 years ago | (#8192346)

Land shark

My idea (4, Interesting)

Catskul (323619) | more than 10 years ago | (#8192347)

I though about this along time ago as a way of hiding a trojan. Of course I didnt patent it so no money for me : /

Re:My idea (0)

Anonymous Coward | more than 10 years ago | (#8192398)

Maybe we should patent it and then never enforce the patent to keep other people from patenting it.

Re:My idea (0)

Anonymous Coward | more than 10 years ago | (#8192497)

We should encourage a credible organization to be doing this. What other way is there to stop people/companies from enforcing there patents based on common sense?

flamebait (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8192348)

gay. where is this crap comming from? what benefit does this offer? why not just secure your services?

Sniffing (2, Insightful)

Anonymous Coward | more than 10 years ago | (#8192349)

This security is easily defeated if the connection can be sniffed to find the 'secret handshake'.

1st-ish (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8192351)

post.

ghey

security through obscurity again? (0, Informative)

Anonymous Coward | more than 10 years ago | (#8192352)

come on kids. Have we not learned our lessons? Even as a one time pad, this is lame

Re:security through obscurity again? (0)

Anonymous Coward | more than 10 years ago | (#8192487)

What the fuck do you mean, "one time pad"? Do you have any idea what you're talking about?

Sure (0)

Anonymous Coward | more than 10 years ago | (#8192355)

Sure it's great if the machine's not firewalled in the first place...

Beavis? (2, Funny)

tommck (69750) | more than 10 years ago | (#8192356)

Am I the only one who heard Beavis say "Port Knocker!"?

Probably...

Re:Beavis? (0)

Anonymous Coward | more than 10 years ago | (#8192428)

heh heh heh. You said knocker. heh heh heh heh.
Yeah, heh heh heh knocker, heh heh.

Easy enough... (4, Insightful)

wishus (174405) | more than 10 years ago | (#8192357)

I can't think of any easy ways you could get around a system using this security method - let alone even know that a system is implimenting it.

Sniffing.

Password (1)

Kaa (21510) | more than 10 years ago | (#8192361)

Well, it's just a password to connect to a port where the password happens to consist of connection tries to specific ports.

It's a nice hack, but I am sure there are other ways to implement password-protected port access...

Man in the middle (0)

Anonymous Coward | more than 10 years ago | (#8192363)

Snoop and replay the pattern.

You'd need to change the "secret handshake" each time used.

Re:Man in the middle (0)

Anonymous Coward | more than 10 years ago | (#8192385)

As I said on a previous thread...

Even as a one time pad, this is lame

Security by Obscurity (1)

gtrubetskoy (734033) | more than 10 years ago | (#8192365)

I am not at all sure I see the benefit of it. It makes connecting more complicated and therefore troublesome, while sniffing out a "secret" knock should be trivial with tcpdump or whatever tool you like to use.

Re:Security by Obscurity (1)

26199 (577806) | more than 10 years ago | (#8192451)

That's easy to fix -- just use one-time passwords. A good analogy would be the keyrings used to open car doors remotely; they would be incredibly susceptible to sniffing if they didn't use a different code each time.

Worse? (4, Interesting)

glpierce (731733) | more than 10 years ago | (#8192371)

Right now, script kiddies have their computers automatically try to access other peoples' computers, looking for ones without firewalls, etc.. If this happens, wouldn't you expect them to just send out random knocks in the hopes of getting something? If that happens, you will be more secure personally, but the increased traffic may cause more problems that it solves.

Re:Worse? (1)

crow (16139) | more than 10 years ago | (#8192436)

No, because you would also set it up to ignore all knocks from any computer that has attempted to connect to an invalid port number (one not in any active secret knock), at least for a good period of time.

Re:Worse? (1)

glpierce (731733) | more than 10 years ago | (#8192507)

Ignoring computers wouldn't help - the knock requests would still be made, which is the traffic itself.

Knock knock... who's there? (4, Funny)

bc90021 (43730) | more than 10 years ago | (#8192372)

Knock knock...

Who's there?

Usher.

Usher who?

Usher wish I could SSH to your server!

Sorry... ;)

One-time port knocking? (2, Interesting)

sleepingsquirrel (587025) | more than 10 years ago | (#8192378)

Interesting. So the next step would be to have one-time port knock sequences a-la one-time passwords (to defeat adversaries who are grabbing a copy of all your packets). But it seems like there is a race condition between the delay after the knock and the actual connection. Anyone have a solution to this?

Before you complain about "Obscurity" (5, Insightful)

pclminion (145572) | more than 10 years ago | (#8192380)

This adds a layer of obscurity to a security policy. It can't substitute for security, but it certainly can help.

An analogy would be a military base with a ten-foot-thick steel blast door. This is like having a door that teleports around at random, which can only be frozen in one spot by speaking some magic word. Even if you know the word, you still don't have the key to the door. But if you do have the key, you still can't get in without the magic word because the door keeps teleporting around.

Obscurity is great, if it is part of a layered security policy which is ultimately based on strong cryptography. This is a really cool idea!

Re:Before you complain about "Obscurity" (1, Funny)

Anonymous Coward | more than 10 years ago | (#8192444)

That was, quite possibly, the greatest analogy in the history of /.

Re:Before you complain about "Obscurity" (0)

Anonymous Coward | more than 10 years ago | (#8192472)

That's probably the dorkiest analogy I've ever heard.

Great! (1)

Ex Machina (10710) | more than 10 years ago | (#8192383)

I can't wait until I want to ssh into home from some cyber cafe behind a firewall or from an os where I can't replicate the knock!

Security through obscurity rules!

Alternate methodology is more secure (0)

Anonymous Coward | more than 10 years ago | (#8192384)

Do a google search on 'port finger pulling.'

Old stuff (5, Funny)

Britz (170620) | more than 10 years ago | (#8192386)

That is a very old method i developed with my friends. We would only open the door after a "secret" knock sequence. We had seen this on TV and thought this would be cool. We jeopardized the security regularly when we said "wrong knock" after someone else knocked. Usually parents. Then they would say "open up". And we had to comply.

Doesn't seem like such a great idea (1)

ReciprocityProject (668218) | more than 10 years ago | (#8192391)

It seems to me that anyone who was watching your packets go by could pick out the knocking sequence. Granted, if no one suspects knocking, no one will notice. But, now that it's on the front page of slashdot, I don't think it's very obscure security anymore.

its only a matter of time... (-1)

centurion (10584) | more than 10 years ago | (#8192394)

...before someone figures out a way to break the system. i read a quote someplace once that said that not even a computer put into a large concrete container with foot thick walls, buried into the ground and guarded is safe from crackers.

Security by obscurity (1)

DukeyToo (681226) | more than 10 years ago | (#8192397)

I thought that it had been decided - security by obscurity is bad! It creates a false sense of security, leading people to think they are safe when in fact they are not.

Someone pls clue me in why this is any different.

More complexity and obsification, not security. (1)

CharlieHedlin (102121) | more than 10 years ago | (#8192399)

The only use I can really see for this is to run servers where you aren't allowed (brain dead ISPs, etc.) As a security method I think it is a bad idea.

I think we need to focus on cleaning code, using proper passwords and encryption, and having sensible policies, such as locking out accounts for a pre determined amount of time after a login failure.

Port knocking probably will never catch on for more than a few paranoid people because it requires too much of a change on the client side. It generates more traffic.

We have secure protocols. I believe priviledge seperation, non-executable stacks, and strong authentication systems are a lot better than some knocking scheeme (which could be easily sniffed, unless it changes, but you would know it was there).

We need to focus on security, not obsfication.

Equivalent to a password (3, Interesting)

crow (16139) | more than 10 years ago | (#8192401)

I was thinking about implementing this a while ago; I guess it's an obvious enough idea that others have been thinking along the same lines. This is equivalent to to putting a password on access to the port.

Ideally, the implementation will only consider connection attempts originating from the same IP address.

Knockse.cx (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8192402)

Since goatse is now gone [kuro5hin.org], you have to knock to get him back.

Knock [fark.com]
Knock [boners.com]
Knock [www.goat.se]
Knock [hick.org]

One of these leads to ghostse, the others do not! Knock carefully!

I see an easy way (4, Insightful)

Apreche (239272) | more than 10 years ago | (#8192406)

There is an easy way around it. The problem is you will make yourself very obvious. Simply pick a time at which the server in question is in high use. Hammer the port. Eventually someone will knock on the door opening it for 10 seconds and you put your foot in the door before they do. The other way is if you can get a packet sniffer simply look at the packets that came before and determine the secret knock.

This is still an interesting idea and definitely has at least a few places in which it would be an effective authentication mechanism.

This sounds as insecure as... (0)

Anonymous Coward | more than 10 years ago | (#8192420)

...simply using open ports, but with a whole lot more bandwidth.

Silent Bob (5, Informative)

Sanity (1431) | more than 10 years ago | (#8192425)

A few years ago Freenet implemented something similar to this called "Silent Bob". The name comes from Alice and Bob, the names given to sender and receiver respectively when describing cryptographic protocols.

The idea was that you didn't want to disclose that you were running a Freenet node unless the person connecting to you already knew your node's public key.

So when someone wants to establish a connection to you, they must send some encrypted data providing they know your public key. Your node can receive this data and only respond if it is correct. Furthermore, you could let your Freenet node sit on port 25, for example, and forward invalid connection attempts to a mail server on a different port.

Through this mechanism, your Freenet node could quite effectively hide behind another server, only making itself known to those already part of the Freenet network.

IIRC this wasn't actually implemented in Freenet, but it is the intention to add it at some point. Still, it is amazing how many ideas were pioneered by Freenet years ago and are only showing up in the wider public conciousness now.

hacker movies (1)

dan2550 (663103) | more than 10 years ago | (#8192430)

this sounds like a really cool idea. not to mention being reminicent of tactics used in (cheesy) hacker movies (like "hackers")

Sniffing Workaround (1)

DeionXxX (261398) | more than 10 years ago | (#8192434)

I'm not sure sniffing would work. Imagine an algorithm for the password based on some variable (time for instance) and a seed (password) that is known to both machines but not transmitted. It would be a bit harder to reverse engineer and crack the "knocking code".

Just an idea.

--D3X

The One Site for Free Adult Entertainment... [neox3.com]

ridiculous (1)

mabu (178417) | more than 10 years ago | (#8192439)

Why do people insist on pursuing humanistic metaphors in cyberspace when there isn't a practical application? This whole premise is ridiculous.

If you want to play with humanistic metaphors, remember the first rule of security is that its better to have ONE door in your house that you keep an eye on, than five windows and two doors with an elaborate security system. In the latter case, you have seven points of entry instead of one.

Brute Force (1)

savagedome (742194) | more than 10 years ago | (#8192450)

There are only 2^16 [iana.org] ports available. So, basically this knocking technique boils down to choosing a 5/6/7/8 letter password over a 2^16 alphabet. (To be more precise, you can ignore the port numbers 0 to 1023 as part of the alphabet as they are 'reserved'). So, effectively, it boils down to 2^16 - 1024.

Somebody do the math, but it doesn't look to be that secure. Brute-forcing this would not take long.

NOT security through obscurity (5, Interesting)

3Suns (250606) | more than 10 years ago | (#8192452)

It should be noted that this is NOT (necessarily) an example of security through obscurity. One could treat the port-knocking sequence as a "key". Long enough keys could make port-scanning impossible for anyone who doesn't know the key. Real mathematical cryptography is based on a similar principle.

Also, this is only a defense against port-scanning. Even if someone did manage to break the knocking sequence, they would still have to use some kind of exploit against the machine on the port they discovered.

VPNs already solved this problem... (0, Offtopic)

zerofoo (262795) | more than 10 years ago | (#8192453)

I already have a solution for this scenario. It's called a VPN. Anyone who doesn't know the "secret handshake" (VPN encryption key) doesn't get past the firewall. I don't have to worry about port 22 on my server....or any other port.

-ted

Why is this usefull? (0)

Anonymous Coward | more than 10 years ago | (#8192454)

Why not just filter by IP? If you need control over who is allowed to access a port, this seems to be a better solution.

doesn't sound very secret to me ... (1)

Trygve (75999) | more than 10 years ago | (#8192466)

I could build a backdoor on the server that [...] detects connection attempts to closed ports 1026,1027,1029,1034,1026,1044 and 1035 in that sequence within 5 seconds [...]

Then your secret handshake wouldn't exactly be very secret, now would it? Why not use something that actually would remain a secret. Something fairly cryptographically strong, for example. It could still run on an unrelated port, and manage access to other ports the same way, but wouldn't be (as) easily broken by restrictive firewalls, wouldn't be sniffable, and still has the added advantage of added security (though by no means a complete solution) without depending on any modification of whatever's listening on the port your restricting access to.

Retarded (1)

TheRealMindChild (743925) | more than 10 years ago | (#8192478)

This could easily be sniffed detected by malicious parties, as well as exploited pretty easily. The only way I would feel secure with this is if the pending port connection checked the IP of the incoming connection, at which point, the knocking becomes pointless

secret knock should also be coded (1)

six11 (579) | more than 10 years ago | (#8192492)

Some people have already pointed out the obvious weakness of this, that the secret knock is only an added layer of obscurity, and security by obscurity is flawed in many ways. But this scheme could be a little more secure if the knock itself was a function only known to those 'in the know'. For example, it could be a function of time, so if time.nist.gov says it's time X, then I look in my secret list of knocks and get the port and timing sequence for this particular f(X).

A third party could be watching your knock, and as soon as they recognize the knock they could try it themselves. But by then, the knock-as-a-function-of-time would have changed, so it would do them no good.

Possible problems (4, Interesting)

Mr. McGibby (41471) | more than 10 years ago | (#8192502)

What if multiple attempts from the same IP are made to access the port at the same time? Wouldn't the knocks get all mixed up?

Great for SSH (2, Interesting)

zulux (112259) | more than 10 years ago | (#8192504)



OpenSSH is a great peice of sodtware - but it's so huge that I can't help but think that their could be flaws in it (like the one of 6 months ago)

I would love to layer another peice of security infront of OpenSSH and this seems like a great idea.

Reverse-knock (5, Interesting)

Seft (659449) | more than 10 years ago | (#8192505)

Has anyone implemented a system where a service would be stopped if the ports next to it were scanned? i.e. if 1024, 1025, 1026, 1027 were scanned, a service running on 1028 would stop.

I had this idea a while back (0)

jaylee7877 (665673) | more than 10 years ago | (#8192508)

Yeah, I know I'm always saying that, I need to start taking out patents instead of letting other people steal my idea. Anyway there's a few issues here: 1. The "knock" ports need to be open all the way to the server. This means that you'll have to punch holes in your main firewall or else not use 1 main firewall but instead indiv. firewalls per server which tends to be less managable/less secure 2. There's no real set way of implementing this yet. Try telling your users to first run telnet 1023, then telnet 1059, then telnet 1236 then actually ssh into the real port. Course if your this paranoid it's probably an ultra secure box anyway. It'd be awesome to see this implemented and allow for easy "keying" of the ports, so I can choose any number combo I prefer. Of course it should then also make sure the ssh connection is coming from the same IP that knocked. And it might take a while but a sniffer would crack the combo...

Implementations? (2, Interesting)

crow (16139) | more than 10 years ago | (#8192510)

Could this be implemented with IP Tables under Linux? I remember seeing a set of rules to detect a port scan; could a similar set of rules be used to unlock a port for a given remote IP number?

Of course, this won't take off unless there's also knocking support built into the clients (like ssh).
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...