Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Port Knocking in Action

CmdrTaco posted more than 10 years ago | from the crazy-security-through-obscurity dept.

Software 430

tyldis writes "There was something called "port knocking" mentioned on Slashdot earlier, and now an implementation has sprung to life. Is this something worth pursuing?" The page is to an application called knockd which is a simple proof of concept with hard coded knock sequences. Really interesting stuff.

cancel ×

430 comments

Sorry! There are no comments related to the filter you selected.

About Fark.com (-1)

Fecal Troll Matter (445929) | more than 10 years ago | (#8863740)

The word Fark doesn't mean anything. It's a word Drew used instead of saying Fuck in chat rooms and online games back in the early 90s. He became known for saying it at random intervals just for the hell of it, so one day in late 1997 he decided to go out and register the domain.

Drew didn't want to bother with a website unless he came up with a good idea for it. So instead of doing a vanity site or something equally lame, he put this picture up instead:

And for many months that was what you found when you went to Fark.com. Some say it was much better than the content found on Fark today.

In the meantime, Drew had somehow gotten into the habit of sending odd news to friends of his in England, where he lived for a year while in college. He started sending emails with the funny news stories to his friends via email. However, emails were going out several times a day, and Drew started to suspect that they might be annoying. Remembering he owned the Fark.com domain name, he started a website and told all his friends to go there for the weird news. That was February 12, 1999.

During all of 1999, Fark got 50,000 pageviews.

During all of 2000, Fark got over one million pageviews

During all of 2001, Fark got over 30 million pageviews

During all of 2002, Fark got over 210 million pageviews

During all of 2003, Fark got over 350 million pageviews

We're not sure what we'll get during 2004, but at this rate by the end of the year there will be more people reading Fark than will be alive on the planet at that time. It will be interesting to see how that works out.

Is this something worth persuing? (-1, Redundant)

Anonymous Coward | more than 10 years ago | (#8863741)

Yes.

Re:Is this something worth persuing? (0, Funny)

Anonymous Coward | more than 10 years ago | (#8863767)

Is pursuing something worth spelling correctly? also 'Yes'.

Is this something worth persuing? (-1, Redundant)

Anonymous Coward | more than 10 years ago | (#8863756)

No. It's a waste of time.

one of many (3, Interesting)

bangular (736791) | more than 10 years ago | (#8863757)

There are actually about 5 other known port knocking implementations. And it's such an easy thing to do, I'm sure many others have written their own private implemenations.

Re:one of many (4, Funny)

Anonymous Coward | more than 10 years ago | (#8863913)

Actually I counted 11 other port knocking implementations. Really I did. Can I get modded +4 also?

Port Knocking implementations (4, Informative)

bwhaley (410361) | more than 10 years ago | (#8863929)

Lots of info available via a google search [google.com] ...

A few implementations [portknocking.org] here.

I don't think will be very useful/valuable until clients (such as ssh) have it built in. I don't feel like going through the hassle each time I want to connect. Though it would keep comcast from discovering my ssh service...

Re:Port Knocking implementations (5, Interesting)

lambent (234167) | more than 10 years ago | (#8864020)

Off the main topic, but regarding comcast ...

I've spoken with several reps at Comcast over the past year. They don't really care what servers you run. (I've been told this explicitly as well as tacitly) In fact, when I first contacted tech support, the guy had no idea what SSH, Telnet (ssh is like an encrypted telnet, right?) or even what a port was.

I've been running an ssh server for about 8 months uninterrupted, now. The general rule of thumb seems to be - If you don't cause trouble for anyone else, Comcast won't cause trouble for you. So, in that interest, I impose reasonable caps on my own throughput and connection counts, and I've had no problems at all.

Re:one of many (2, Funny)

jacquesm (154384) | more than 10 years ago | (#8863958)

port knocking is like having a deliberate hole in
your carefully constructed secure zone.

I'm going to stay a mile away from anything that
brings on board a 'knocker'...

I'd hate to get knocked up.

Re:one of many (4, Insightful)

tverbeek (457094) | more than 10 years ago | (#8864014)

port knocking is like having a deliberate hole in your carefully constructed secure zone.

Well, yes. That's the point: to enable access to a secured system. It's often a necessary evil. The issue is that most people implement these deliberate holes by leaving certain ports open to simple direct access. They're easy to find, and not all that difficult to exploit. Adding a layer of obscurity and another layer of security on those holes - in effect putting a concealed combination lock on them - would be a more secure way of doing that.

Re:one of many (2, Funny)

PacoTaco (577292) | more than 10 years ago | (#8864009)

Well, someone needs to come up with a better name. I feel like I should be saying "shut up Beavis" whenever somebody mentions it.

How do you transcribe... (5, Funny)

JesseL (107722) | more than 10 years ago | (#8863760)

"shave and a haircut" into port numbers?

Re:How do you transcribe... (4, Funny)

winkydink (650484) | more than 10 years ago | (#8863782)

I dunno. How many ports can you knock on with two bits?

Re:How do you transcribe... (2, Funny)

nacturation (646836) | more than 10 years ago | (#8863952)

I dunno. How many ports can you knock on with two bits?

Four, of course!

Re:How do you transcribe... (1)

trick-knee (645386) | more than 10 years ago | (#8863828)

"shave and a haircut" into port numbers?

don't think it'd be useful because you could specify no more than four ports (or maybe just one of four ports). just two bits, you know. [google.com]

Re:How do you transcribe... (2, Informative)

Dwedit (232252) | more than 10 years ago | (#8863855)

In QBASIC:

s$ = "shave and a haircut"

FOR i = 1 TO LEN(s$) STEP 2
IF i LEN(s$) THEN
PRINT ASC(MID$(s$, i, 1)) * 256 + ASC(MID$(s$, i + 1, 1))
ELSE
PRINT ASC(MID$(s$, i, 1))
END IF
NEXT

Output:
29544, 24950, 25888, 24942, 25632, 24864, 26721, 26994, 25461, 29544, 24950, 25888, 24942, 25632, 24864, 26721, 26994, 25461, 29544, 24950, 25888, 24942, 25632, 24864, 26721, 26994, 25461, 116

Re:How do you transcribe... (0)

Anonymous Coward | more than 10 years ago | (#8863933)

Can you help me modify DONKEY.BAS?

I want to give the donkey junk that is liberally touchable.

Re:How do you transcribe... (2, Informative)

Anonymous Coward | more than 10 years ago | (#8863885)

2093, 1568, 1568, 880, 988, 1568, the frequency of the pitch of the notes.

Knock Knock (-1)

graveyardduckx (735761) | more than 10 years ago | (#8863765)

Who's there? Skr1p+-k1dd13 31337 h4x0r Ok, go on in.

Knock Knock (4, Funny)

Anonymous Coward | more than 10 years ago | (#8863768)

You can keep on knockin' but ya can't come in

Re:Knock Knock (0)

Anonymous Coward | more than 10 years ago | (#8863873)

I just hope nobody knocks up my server

Re:Knock Knock (2, Funny)

Dorothy 86 (677356) | more than 10 years ago | (#8864051)

I knock, knock, knocked on that Gibson's door!

kock this fp (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8863769)

fp

Ahem... (-1, Offtopic)

DamienNightbane (768702) | more than 10 years ago | (#8863771)

Somewhat close to first post!

Port to MIDI interface (3, Funny)

Black Art (3335) | more than 10 years ago | (#8863777)

So how do we map musical notes to port numbers?

I want to get "shave and a haircut" ported over to the new protocol.

Re:Port to MIDI interface (1)

Afrosheen (42464) | more than 10 years ago | (#8863800)

Um, start at the lowest key on the piano and assign it a 1. Assign the highest key the highest number. That's about it...start your port knocking transcriptions.

Or if you're really bored you can transcribe each note into hex via an old commodore 64 with DMC music composition software or the excellent JCH composer. Convert that hex back to regular digits and those are your ports.

Re:Port to MIDI interface (0)

Anonymous Coward | more than 10 years ago | (#8863871)

So how do we map musical notes to port numbers?
Um...Hertz?

Re:Port to MIDI interface (1, Funny)

Anonymous Coward | more than 10 years ago | (#8863983)

The new chicken-powered iMacs [omlet.co.uk] have this already built in!

Re:Port to MIDI interface (0)

Anonymous Coward | more than 10 years ago | (#8864012)

Um, I'll just reply with an "um" because it makes me sound clever.

Re:Port to MIDI interface (0)

Anonymous Coward | more than 10 years ago | (#8864029)

or better the them to close encounters

i guess (-1)

Anonymous Coward | more than 10 years ago | (#8863778)

i suppose it's better than all the cock-knocking that usually goes on here

Great for warez... (5, Interesting)

danielrm26 (567852) | more than 10 years ago | (#8863788)

I can see this being used quite extensively in the warez arena. It'd be pretty easy to give out the "key" to clients who are allowed access, while any ISP scanning for FTP servers, for example, would find nothing open.

Re:Great for warez... (2, Insightful)

selfabuse (681350) | more than 10 years ago | (#8863834)

Along the same lines, it would be useful to us non-warez folk that run servers at home that are for personal use, but have broadband that disallows servers in the AUP.

Re:Great for warez... (4, Informative)

caluml (551744) | more than 10 years ago | (#8863842)

I fear the ISP might just watch for large amounts of data spewing out on tcp/20.

Re:Great for warez... (0)

Anonymous Coward | more than 10 years ago | (#8863921)

The Protocols (TCP/IP Illustrated, Volume 1) by Richard Stevens

please read.

Re:Great for warez... (2, Insightful)

KingOfBLASH (620432) | more than 10 years ago | (#8863899)

I can see this being used quite extensively in the warez arena. It'd be pretty easy to give out the "key" to clients who are allowed access, while any ISP scanning for FTP servers, for example, would find nothing open.

<tongue in cheek>
If you had an ISP that was port scanning for open FTP servers on port 20, why not just move your port to another port with well known use for home users, like 135?
</tongue in cheek>

Re:Great for warez... (1)

Methuseus (468642) | more than 10 years ago | (#8863935)

Because 135 is blocked by the average ISP? Or isn't it? I haven't gone without a firewall for years...

Re:Great for warez... (0)

Anonymous Coward | more than 10 years ago | (#8863953)

because anyone who is looking for ftp connections will try to connect to that port.

To be honest... this is all a moot point as any real administrator will be looking at sniffer logs(see Ethereal post earlier) and will see the cleartext greets and logins regardless of how many ports you jump.

Re:Great for warez... (2, Funny)

gnu-generation-one (717590) | more than 10 years ago | (#8863992)

"I can see this being used quite extensively in the warez arena."

Shhhh.... Don't mention the trojans.

Netflow (0)

Anonymous Coward | more than 10 years ago | (#8864005)

Yeah, but if your ISP is using Netflow to analyze the traffic, wouldn't it detect a syn/ack handshake going in the wrong direction (inbound) and be a dead giveaway as to the traffic? That, and doesn't the ftp protocol have a distinguishable signature in the control channel? It's easier just to VPN it.

Knock Knock? (4, Informative)

qualico (731143) | more than 10 years ago | (#8863791)

Who's there?

Just a bunch of hackers knocking with sequences they captured from sniffing.

Sniffing only works when on that network. (4, Insightful)

khasim (1285) | more than 10 years ago | (#8863975)

You can only sniff packets on a network you are attached to.

What that means in real life is that someone would have to be connected somewhere along the route from your machine to the server you're knocking on.

I am in Seattle, I can knock on my server from another location in Seattle. Someone in Canada will not be able to capture any of my packets.

Port knocking allows me to run a service on the Internet and not worry about just anyone from anywhere connecting to it.

Re:Sniffing only works when on that network. (1)

qualico (731143) | more than 10 years ago | (#8864040)

Come on now.

A hacker isn't going to give a w00t about geographic limitations.

Especially with all that wireless information floating around from gracious war driver/flyers.

Re:Knock Knock? (5, Insightful)

DarkMan (32280) | more than 10 years ago | (#8863980)

Meh, throw some cryptography into the mix.

Take the source IP, add a password, take a one way hash. Include this hash in the knocking packets.

Now, if you've sniffed the packets, then you won't know the password. So, you can spoof the source IP, in which case the port will be opened _for that IP only_, or you can send the knocking packets from you IP, in which case, you need that password, or you've just advertised yourself as a hacking attempt.

In order to prevent a single password for everyone situation, it's not hard to include a user ID in the packets.

Does need the application or firewall to allow connections to and from specific IP's only - but I really can't see that being an issue.

Problem solved.

Re:Knock Knock? (4, Informative)

timeOday (582209) | more than 10 years ago | (#8863989)

Not unless they can get into a router on the path between you and someone valid who logged in, or the same ethernet segment.

Re:Knock Knock? (2, Interesting)

brettbender (87275) | more than 10 years ago | (#8864048)

This is a replay attack. So don't use a static (replayable) sequence of ports for the knock sequence. Instead, require a dynamic sequence that is a function of the current time.

Multiple kocks (0, Redundant)

TheJavaGuy (725547) | more than 10 years ago | (#8863792)

I am not that familiar with port knocking, but what if multiple attempts from the same IP are made to access the port at the same time, Would the knocks then get all mixed up?

Re:Multiple kocks (3, Informative)

aWalrus (239802) | more than 10 years ago | (#8863911)

Well, the knocks do come from the same IP, so this thing just needs to be able to see that to filter different knock sequences, I guess.

Re:Multiple kocks (1)

fortunatus (445210) | more than 10 years ago | (#8864036)

good idea!

in any case, some mix-up will be inevitable, just like packet collisions on a network can happen. same algoriths (random wait & retry) will be used.

Re:Multiple kocks (1)

Fiz Ocelot (642698) | more than 10 years ago | (#8864037)

It would be interesting to have an implementation that required knocks in sequence from a particular set of IPs.

Say you needed a specific knock sequence from two specific IPs: Those two knock giving access to one of them, while in that process false knocks can be sent in case anyone is monitoring packets being sent to the server.

so even if you did manage to see what was going on, it would be difficult to figure it out if it involved something like 4 IPs giving dummy sequences.

hehe, old joke (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8863796)

That reminds me of an old joke:

What is the most insecure and easily accessable port?

CmdrTaco's asshole!!!

Port Knocking Needed (2, Interesting)

SeinJunkie (751833) | more than 10 years ago | (#8863798)

I believe this technology is needed to be pursued greatly. The unwanted traffic that anybody running a website or FTP server sees generated everyday in his server logs is enough to make port knocking a necessity.

I wonder though. If port knocking is to become popular, will it be able to work through all of the blocked ports resulting from the excessive worm attacks?

old (5, Funny)

ozric99 (162412) | more than 10 years ago | (#8863811)

When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access.

pfft, XP has had this for ages....

Re:old (0)

Anonymous Coward | more than 10 years ago | (#8863948)

Really? Name one security hole in the XP firewall?

Re:old (0)

Anonymous Coward | more than 10 years ago | (#8864004)

It's off by default?

Cmdr. Taco please read (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8863822)

Dear Cmdr. Taco,

Today, I had sex with your wife. She loved it, she was always screaming for more. I fucked her both up her ass and pussy. I hope you know she likes it rough, but your small dick wouldn't last anyway so it really doesn't matter. I also hope you know she is leaving you and coming to live with me.

I was the one who left that flaming pile of dog shit by your front door. Not only that, I slashed your Dodge Pinto's tires, and broke all of your house windows. Oh and how can I forget, I salted the earth on your property so your grass will die.

With much regards,
---Cowboy Neal

P.S. I stole your mailbox.

Re:Cmdr. Taco please read (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8863856)

Pintos are made by Ford, not Dodge.

Re:Cmdr. Taco please read (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8863886)

It's pretty obvious that with Cmdr. Taco's limited car knowledge(like most women), and inability to discern what your really getting from a salesman(again another female trait) that he ended up buying a Pinto with a Dodge nameplate on the readend.

Re:Cmdr. Taco please read (0)

Anonymous Coward | more than 10 years ago | (#8864034)

I'm still waiting for some Jessica Lynch slash-fiction, btch!

ISP Port-Scanning (5, Insightful)

ckswift (700993) | more than 10 years ago | (#8863833)

This might be useful when ISPs routinely port-scan their subscribers to discover if their running services in violation of their TOS.
This will allow your computer to appear not to be running services expect to the person who knows the magic knock.

Re:ISP Port-Scanning (0)

Anonymous Coward | more than 10 years ago | (#8863964)

I thought about that when this first came out. I thought it would be great to hide my server from my ISP. Problem is that if you have the resources to generate knocks in a specific port sequence at a specific timing, then you probably have the resources to just run a VPN. I use OpenVPN, which routs all its data in a simple stream of UDP packets that wash out amidst all the other UDP noise on the wire; unlike IPSEC and PPTP, which use a reserved protocol that sticks out like a sore thumb. (my ISP used to ban VPN's on residential accounts as a way to sell more business accounts.)

Re:ISP Port-Scanning (2, Informative)

meme_police (645420) | more than 10 years ago | (#8864010)

That would be a benefit. Those using port-knocking for extra security are misguided, though.

Fyodor must be busy... (5, Insightful)

stevens (84346) | more than 10 years ago | (#8863838)

I'm betting that nmap binary is about to get much bigger...

Re:Fyodor must be busy... (0)

commonloon (543695) | more than 10 years ago | (#8863890)

Not to mention our snort logs.

nah (0)

Anonymous Coward | more than 10 years ago | (#8864027)

he's probably too busy hitting on women that are really men

p.s. im a hot linux babe!

Port knocking not exactly a new idea.. (3, Funny)

morelife (213920) | more than 10 years ago | (#8863840)

The port knocking idea is pretty old.. at least for months now all kinds of people are knocking my 135 1433 3127 and a bunch of others to DEATH, like hundreds a day, trying to get in..

Oops, that's Microsoft port knocking.. never mind, sorry, I guess it is new to Unix..

Knock Knock (5, Funny)

Anonymous Coward | more than 10 years ago | (#8863849)

Who's there?

Packet.

Packet who?

Packet up bitch, you've been hacked.

If this box is rock'n... (1, Funny)

stephenisu (580105) | more than 10 years ago | (#8863853)

Don't come a knockin'

how long till... (5, Interesting)

Anonymous Coward | more than 10 years ago | (#8863866)

till we see virus/worms that install port knocked backdoors.

'virus x appears to open up 200 ports for no real reason, but it also has some remote desktop code in there too opened on a firewalled port....'

authpf? (4, Interesting)

m0rph3us0 (549631) | more than 10 years ago | (#8863875)

Why use port knocking. It is no more secure than plain-text passwords. Use authpf. authpf can be set as the shell so when a user logs in authpf just changes the firewall rules.

Re:authpf? (5, Insightful)

smcavoy (114157) | more than 10 years ago | (#8863934)

passwords and port knocking are two different things.
A perfect example of what it could allow to be done is on knockd's homepage.
Basically, ssh would not be an open port, you'd have to knock (connect to) the right sequence of ports, which would trigger a rule that could allow only the IP that made the successful knock, access to the ssh port.
Then when your done you would have another sequence of ports you'd have to "knock" in order to remove the rule allowing access.

Re:authpf? (1)

Ieshan (409693) | more than 10 years ago | (#8864049)

The parent is suggesting that sending the "knock" is no more secure than sending the password over plaintext, since anyone sniffing can easily sniff out and reproduce the "knock" as well.

Re:authpf? (1)

meme_police (645420) | more than 10 years ago | (#8863947)

Great idea but not very portable.

Re:authpf? (1, Insightful)

Anonymous Coward | more than 10 years ago | (#8863957)

So using port knocking to open up ssh to you can login is no more secure than plain-text passwords? DAMNIT.

no (1, Informative)

Anonymous Coward | more than 10 years ago | (#8863979)

No, the knock-sequence itself is no more secure than a plaintext password. So using it for access to ssh is no more secure than simply using ssh alone.

Re:no (1, Informative)

Anonymous Coward | more than 10 years ago | (#8864006)

It prevents people from doing evil things to your sshd.

Re:authpf? (2, Interesting)

debrain (29228) | more than 10 years ago | (#8864018)

Why use port knocking. It is no more secure than plain-text passwords. Use authpf. authpf can be set as the shell so when a user logs in authpf just changes the firewall rules.

I'm not sure that authpf corresponds to port-knocking's subject-matter.

You can make port-knocking more "secure" than encryption; you can use a time-synchronized one-time pad to construct and vary the ports, flags, TCP options, sequence, etc., to come up with a system both unique and impossible to duplicate, absent the one-time pad.

As one-time pads are provably secure, you can create a system that bars or ignores all communication except the effectively random knock that unlocks the door.

knock-knock (3, Interesting)

after (669640) | more than 10 years ago | (#8863887)

That server is about to get more knocks then it can handle, its starting to get pretty slow loading for me.

knockd is a port-knock server. It listens to all traffic on an ethernet interface, looking for special "knock" sequences of port-hits. A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server. This port need not be open -- since knockd listens at the link-layer level, it sees all traffic even if it's destined for a closed port. When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access.


This is an interesting idea, but not very secure. If there was, for example, a need to "knock" a server to activate some sort of access control, then anyone can send the TCP/UPD packets (AFAIK) someone correct me if i'm wrong.

Looks interesting though, but inetd could do the same thing.

Security (2, Insightful)

David Hume (200499) | more than 10 years ago | (#8864001)


This is an interesting idea, but not very secure. If there was, for example, a need to "knock" a server to activate some sort of access control, then anyone can send the TCP/UPD packets (AFAIK) someone correct me if i'm wrong.


If I understand it correctly, this could be very secure. Imagine trying to guess the combination of a combination lock where each port number represents a possible number of the combination, and the combination is of unknown length (e.g., a combination 3, 5, 45, or 105 numerals long, etc.). Moreover, it might be possible to have the system bar further attempts from a given IP address after two or three failed attempts during a given period of time.

Another implementation (5, Informative)

frobisch (630854) | more than 10 years ago | (#8863901)

is pasmal [sourceforge.net]

Don't knock it until you've knocked it (-1)

ReadParse (38517) | more than 10 years ago | (#8863903)

Couldn't resist. I apologize. I am fully prepared to be moderated into submission.

RP

Nice start (4, Insightful)

javatips (66293) | more than 10 years ago | (#8863908)

That's a nice start.

It would be nice to be able to use one-time pad to generate the port sequence. By changing constantly, it would be almost impossible for passive listeners to snif the port sequence.

Interesting (5, Interesting)

debrain (29228) | more than 10 years ago | (#8863925)

This sort of clandestine type of communication has been known about in the security community for a long time - pretty much since the ARPA days. Some backdoors used specific sequences of TCP flags, with no practical TCP use other than opening a backdoor, but permitting anonymous communication or command broadcasting.

With access to a TCP stack and a link-layer sniffer, you can send and receive, respectively, commands to ghosts in working machines, transparent proxies or "harmony" devices. It is good to see this sort of thing coming to light, since it is extraordinarily powerful and not very well known.

An example of these probing commands are Xmas, Fin, and Null scans for Fyodor's nmap; note that other TCP flags (TCP options, in particular) can harbour substantially more information than the flags alone.

Unfortunately, in the modern age of macro viruses, it is hardly necessary to be skilled or even aware of such devices to write a devastatingly powerful virus.

Great and all . . . (0)

Anonymous Coward | more than 10 years ago | (#8863926)

But what happens if something else "knocks" in the middle of a series of port checks?

If this technique becomes widespread, then it will just encourage more and multiple port scans of IPs. If that causes problems, then people aren't going to use port knocking, if it keeps getting interrupted.

The Power of Simplicity (0, Interesting)

l0ungeb0y (442022) | more than 10 years ago | (#8863939)

Personally, I'd like to advocate this... but can't
Look at meat examples like the simple peep-hole in the door.
Every front door (esp. apartments) have a peep-hole in the front door to see who's awaiting.
So on the face, it's a good thing.

So a simple pass/fail concept online is good.
But I see no gaurantees against spoofing.

This idea is one that relies upon trust.
Trust in DRM concepts, which I am sure most here on /. would spit on at the slightest mention.

I would venture to say that anything DRM related needs to be regulated (for privacy relations) where individual actions (pr0n surfing -- it is a puritanical reality here in the US) should be insured against monitoring.

So ignore this post, I stand in the face of reason, and under Ashcroft my reason can not withstand. In fact, these words in 10 years time would stand as unrefutable treason as speech in the aid of terrorists.

new sticker on server case (0, Redundant)

MakoStorm (699968) | more than 10 years ago | (#8863942)

If this server is rocking dont come nocking

About as secure as telnet(1) ie not. (3, Informative)

Dr. Zowie (109983) | more than 10 years ago | (#8863945)

The problem here is that the ``password'' (the port knock sequence) is sent in plaintext. Anyone with a sniffer anywhere between you and the other machine can see what you're doing. If this ever catches on, any L337 |1dd13 with half a rootkit will be sniffing for anomalous port-requests, and you'll be just as hosed as if you logged on via telnetd.

Re:About as secure as telnet(1) ie not. (1)

Dr. Zowie (109983) | more than 10 years ago | (#8863976)

dratted HTML filter. That's ``L337 |<1dd13'', of course.

Re:About as secure as telnet(1) ie not. (1)

trip23 (727132) | more than 10 years ago | (#8864042)

True, but it my Cable-ISP doesn't allow any "server"-services, including ssh. So port will only 22 open when I need it. Most customers don't care anyway.

Why is this more secure... (4, Insightful)

TheSHAD0W (258774) | more than 10 years ago | (#8863949)

Than a single coded UDP packet?

portknocking.org (5, Informative)

trip23 (727132) | more than 10 years ago | (#8863955)

You'll find some more stuff on http://www.portknocking.org [portknocking.org] ...

Secrets are not security (1, Redundant)

MojoRilla (591502) | more than 10 years ago | (#8863965)

Repeat after me...secrets are not security.

Lazy programmers and closed source shops use methods like this to say the are secure when they are not.

This can be detected and defeated by packet sniffing. So ISP's would be able to find them pretty easily.

sounds like... (1, Funny)

beni1207 (603012) | more than 10 years ago | (#8863973)

is this at all related to fart knocking [neu.edu] ? Because I spent a good deal of my time in jr. high school learning all about that....

Time based defenses (5, Interesting)

frenztech (302220) | more than 10 years ago | (#8863974)

I remember talking about port knocking and its inherent sniffing vulnerability previously.

Basically, if someone can sniff the sequence of packets, they can get your static knock sequence.

However, if you base it on their IP perhaps, or add in a timestamp (ie, on this date, at this time, you must do this sequence) then it would make port knocking a much more effective method of deceiving attackers.

You could also do something where knock sequence would be a form of one time password. So you would have a list of valid knocks that could only be used in order. Each person could be given a "block" of these one time passes, or the sequences could be generated on the fly as other current implementations of one time keys are.

There are lots of great possibilities, if only I were smart enough to think of them ;) I'm currently implementing a c++ networking class for a project with port-knocking built in, and it uses the timestamp method. (Of course, they all have to compute the timestamp for one zone, GMT or wherever)

Security through obscurity is a bad idea (0, Flamebait)

Anonymous Coward | more than 10 years ago | (#8863985)

That's all this is, and as many others are saying, not how I'd want my boxes protected.

That being said, I'm sure MS will find someway to package this into XP SP2's new firewall.

So how do you 'start' this? (3, Funny)

purduephotog (218304) | more than 10 years ago | (#8864013)

Do you type:

>/etc/rc.d/rc3.d/s95Knock UP

?

I'd knock CowboyNeals ports anyday (0)

Anonymous Coward | more than 10 years ago | (#8864024)

Yes I would.

Knocking (0)

Anonymous Coward | more than 10 years ago | (#8864028)

Fart Knocking?

So there I was (4, Funny)

ch-chuck (9622) | more than 10 years ago | (#8864032)

I'd just scp'd a new file to my ISP, ssh'd in to edit index.html, checked email, and then when I refreshed the page in http, suddenly I has root access!

Here's one implementation (1)

image53 (543653) | more than 10 years ago | (#8864039)

And this one doesn't rely on security through obscurity. Check it out: Port Knocking [slashdot.org]
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>