

Why Not Use Port Knocking? (2012) - walterbell
http://bsdly.blogspot.com/2012/04/why-not-use-port-knocking.html

======
betaby
I have read that rather lengthy article and still didn't get the reason "why
not?". From the article "The amount of information an attacker would need to
get right, measured in number of bits or bytes is a fairly useful measure". So
yes, port knocking means one need to know more bits in order to gain access.
If some one got the message, could you please provide points "why not?"

~~~
rnovak
From what I could gather, is that because most port knocking _examples_ use 3
port sequences, that boils down to 3 Unicode characters. Likening that to a
password, I think he's saying putting a layer of security in front of SSH,
protected only by a 3 character password, is not a great idea, and that he's
seen _slow_ brute force attacks that seem to be able to overcome such things.

(Edit: For what it's worth, when I tried out knockd, it supported arbritrary
port sequences, so you could easily have a 16 port sequence, making it as
robust as you want. Timing however, was quite a pain. I had to use specific
timeouts (relative to the RTT time from my network to my VPS), and manually
enter each port in the sequence).

Personally, I've found that whitelisting IP's for SSH access, as well as a
default block-all policy, disabled root login, and Key authentication have
been enough to keep people out of my VPS.

Sure, seeing all of the denied traffic in the logs is annoying, but there's
not much you can do about that (other than not log it).

~~~
getsat
Changing the port to something other than the default (even to something
obvious like 22222) will get rid of all the log spam. You could also use
something like fail2ban, but changing the port is much simpler.

~~~
rnovak
oh yeah, sorry, I didn't mean to make it out like I was complaining. I log all
blocked traffic, so I get data related to ports other than just SSH. I was
more lamenting that people even _want_ to attack my VPS, as there's really
nothing interesting about it.

~~~
getsat
It's not people, though. It's bots! While changing the ssh port adds a
comically small amount of security (if any), it isolates you from 99.99% of
automated attacks and keeps those logs clean, so I'd recommend it for
everyone.

Just remember that the port argument to `scp` is -P and not -p like it is for
`ssh`. :p

~~~
rnovak
Yeah, I whitelist IPs, and just drop all other packets, so I'm not really
worried, but thanks for the advice, it's always good to get other peoples
opinions on best practices.

------
michaelrash
Here is a rebuttal to the "why not" argument:

[http://www.cipherdyne.org/blog/2013/10/port-knocking-why-
you...](http://www.cipherdyne.org/blog/2013/10/port-knocking-why-you-should-
give-it-another-look.html)

------
kazinator
I stopped using port knocking simply because it made remote access a hassle.

Scanning logs for intrusions and banning offending IP's deals approximately
the same locus of issues that port knocking does.

Now if you absolutely must have deathly silence in your SSH logs, then only
port knocking will do.

~~~
x0x0
I use iptables to ratelimit ssh connections to 4 per 300 seconds per ip. I
feel like that plus using a key provides a reasonable level of security while
not being a pita.

Open question -- is there any reason this is a bad idea?

~~~
kazinator
This is _all_ connections, even if every connection attempt from a given IP
succeeds?

It's not a bad policy overall, but of course it interferes with a legitimate
use: a script which rapidly executes numerous SSH commands.

~~~
x0x0
yes, all connections

things like scp and rsync recycle connections across files though, so it
hasn't been a problem in practice; ansible does too if you use openssh instead
of paramiko

ps -- if someone knows iptables well, and is willing to share a similar script
for failed connections, I would be grateful! But doing this across all ssh
connections was easy enough that even I managed to get it working.

~~~
kazinator
I'm talking about have a shell script like:

    
    
      while whatever ; do
        # hit host with a ssh command numerous times in loop
        ssh user@host command ...
        ...
      done
    

Banning more than X failed connection attempts from an IP in Y minutes is done
with utilities like fail2ban, which wheedle that information from system logs.

