
Why Not Use Port Knocking? (2012) - srisa
http://bsdly.blogspot.in/2012/04/why-not-use-port-knocking.html
======
zippergz
I don't use port knocking, and I'm not convinced anyone should. But something
bugs me about this kind of discussion.

There are two broad classes of attackers: targeted attackers, who specifically
want to get into your system, and script kiddies who are scanning broad swaths
of the Internet looking for an easy target. Most of these countermeasures,
like port knocking and moving sshd to a different port, do very little to
dissuade the first group. But they make you much less of a target for the
second group.

These discussions (and so many security discussions on the internet) make the
argument that unless something is effective against targeted attackers, it's
not worth doing. That's ridiculous. In the 20+ years I've been running
computers on the internet, targeted attackers are outnumbered by random scans
thousands to one. Of course, you'll say, any countermeasure that's good enough
to stop targeted attackers is good enough to stop these guys as well. And
that's true, but for two things:

1\. I like my logging and alerting to intentionally be loud when a targeted
attacker is messing with my system. By raising the bar enough so that _only_
targeted attackers get through, I'm able to do that.

2\. There have been zero-day vulnerabilities in probably most of the daemons
I've run over the years. And when those zero-days come, I inevitably get hit
with _random_ scans looking for vulnerable versions. Those are almost always
stopped cold by things as simple as running on a different port. I'd like to
think I'm pretty good at keeping up with vulnerability alerts and updating my
software when something like that happens, but simple changes that buy me a
little time aren't a bad thing.

~~~
lazyant
Completely agree, I have the same experience and reached the same conclusion
long ago.

------
tptacek
Obligatory: I think port knocking is really silly and you shouldn't waste time
with it. Disable root logins and password logins in SSH. If you have lots of
hosts running SSH, collapse them down to one exposed SSH bastion host. Then
get on with your life.

~~~
mathrawka
I once had a legitimate use case for port knocking. The network monitoring
software at Yahoo! Japan was very strict and you were not allowed to connect
to a system outside of their network via SSH. (Don't get me started on the
local spyware installed on everyone's Windows boxes... that was easy to inject
a DLL into and crash though). Me being extremely evil, wanted to connect to my
home computer over SSH.

They had a loophole that the network monitoring system would trigger an alert
that gets manually verified. If the port was open, they could verify that it
was an actual SSH server. If the port was closed, they would write it off as a
false alarm.

~~~
spindritf
sslh[1] usually allows you to reach it even through fairly restrictive
firewalls. At least unless they have their certs installed and inspect ssl
traffic.

[1]
[http://www.rutschle.net/tech/sslh.shtml](http://www.rutschle.net/tech/sslh.shtml)

~~~
icebraining
They don't need to have certs installed, since sslh doesn't actually tunnel
SSH-over-SSL, it just redirects the connection to the right daemon. Simply
pointing _ssh_ to that port would have given up the trick.

------
Sami_Lehtinen
I personally see port knocking with cryptographic payload just as one tool on
layered security. I'm still wondering why people bother horrible VPN/IPsec
junk with annoying clients. I got something like 10 different clients
installed. It shouldn't be required at all, if systems and protocols are
already secure. You can use something like TOTP key as payload to open ports
up or something more complex/secure if you want.

Afaik passwords aren't bad option either. You should consider password as
shared secret blob, not as password. It's as unlikely that someone is going to
guess 256 bit password as it is that they guess any other 256 bit secret.

------
arethuza
Completely off topic - I find the term "Port Knocking" somewhat amusing as my
home village is Portknockie

[http://www.portknockiewebsite.co.uk/](http://www.portknockiewebsite.co.uk/)

[NB I say home as my family has been there pretty much forever, I live in
Edinburgh]

~~~
teh_klev
Heh...unusual to bump into another HN'er from the North East. My folks used to
do the family "Sunday Drive" through Portnockie then onwards to Cullen for a
fish supper or picnic on Cullen beach. I'm in Dunning now.

------
teddyh
> Title: Why Not Use Port Knocking?

For me, the answer is simple: It violates Kerckhoffs’s principle¹. If you want
more secret bits that users need to know in order to access your system,
_increase your password lengths_. If you want to keep log sizes manageable,
_adjust your logging levels_.

1)
[https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle](https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle)

~~~
spindritf
> If you want to keep log sizes manageable, adjust your logging levels.

Changing the port is a really good and simple fix. If you also drop packets to
closed ports instead of rejecting them, you slow the scan down enough that
only a targeted attack is likely to find your ssh port.

All that with no performance penalties, no cumbersome configuration, no
experimental software, with one change to one config file. I say do it.

~~~
teddyh
Changing port is the wrong solution to large log files. This seems obvious to
me, but maybe I can put forward another drawback of changing the port number:
_It is confusing_.

I mean, you could easily stop using the DNS and use raw IP addresses for
everything - this should cut down on your attacks and maybe even spam, right?
Nobody does this because it it insanely inconvenient, and ignores the solution
to this inconvenience which DNS is. Standardized port numbers exist for many
reasons - do not abandon them and create complexity for your fellows merely
for your personal convenience.

~~~
spindritf
> I mean, you could easily stop using the DNS and use raw IP addresses for
> everything - this should cut down on your attacks and maybe even spam,
> right?

No, it wouldn't. But you do have a point. And most sysadmins don't let just
anyone axfr their zone.

Like changing the port, it's not a security measure and it will inconvenience
someone every once in a while. Still, I don't need to advertise every host I
run.

Same with using a PO box or your provider's info for whois. It's not going to
deter anyone determined but it cuts down on some casual annoyances.

EDIT: Also, setting the port

    
    
        Host *.whatever.net
         IdentityFile ~/.ssh/whatever
         ServerAliveInterval 10
         port 17022
    

in ssh config costs you nothing, one more line in a config you'd have to write
anyway.

~~~
teddyh
> it's not a security measure and it will inconvenience someone every once in
> a while

So _why do it_? And port knocking will inconvenience _every_ user, _all_ the
time.

> setting the port in ssh config costs you nothing

It costs complexity for _all users_ of the system. This includes you, all
other people using it, all servers and their services wanting SSH access, etc.
Standards are a _good_ thing.

------
Zenst
I've used it before, though this article seems to be fixated upon a fixed port
sequence and fairly compares that to a password layer that is futile as
between you and the server your knocking many people can see and know that
sequence, making it moot.

Which I agree with. But if you use a port sewquence derived from a S/KEY, then
each port knock sequence is a one time sequence never to be repeated.

It is a simple and dirty level of security using the much hated obscurity
approach, but by varying the ports via a aranged S/KEY sequence you can move
it up a whole level. S/KEY easy to do and worked well on old old old nokia
over 10 years ago as a little simple java app. Just using it to derive a port
sequence instead of a one time password.

------
lazyant
I don't use port knocking but:

"all implementations had the downside of adding yet another piece of clearly
experimental software to my system along with somewhat convoluted procedures
for setting the thing up" what? you can add port knocking with literally 3
iptables rules, netfilter is a rock-solid proven piece of software.

"explain to me what problem this is supposed to solve." visibility: if target
cannot be found there's no target to attack; security by obscurity is good (as
long as security doesn't depend just on it).

I use bastion host to ssh to my servers with key and different port (yes
different port is good; for a couple of sysadmins who cares we broke some
standard?)

~~~
teddyh
> for a couple of sysadmins who cares we broke some standard?)

<s> (. I think I'll change the protocol numbers of TCP and UDP to use each
others' numbers. Complete protection! No standard TCP/IP stack will be able to
connect! Yay! .) </s>

~~~
lazyant
I meant changing ssh port from 22 to whatever, not breaking the protocols,
since it's internal use who cares (I found people who does). Actually you only
need to follow port standards for public-facing stuff, typically just DNS,
mail (pop, imap/s), http(s)

------
cperciva
I don't use port knocking because spiped is simpler and far more secure.

~~~
consonants
First I've heard of spiped/tarsnap, what makes it more secure?

~~~
cperciva
spiped and tarsnap are two different things -- spiped is a daemon for creating
encrypted pipes, and tarsnap is an online backup service.

Which do you want to know about?

------
srisa
_Each value is a 16-bit number, with a size of two bytes, or equal to two
ASCII characters or one Unicode character. Port knocking examples generally do
not run to more than three packets, which means that the minimum amount of
information a prospective attacker would need to get right in order to gain
access is six bytes, equal to six ASCII characters or three Unicode
characters._

Is the brute force effort being simplified too much? Wikipedia entry says this
about brute force attack on port-knocking: _As a stateful system, the port
would not open until after the correct three-digit sequence had been received
in order, without other packets in between.

That equates to a maximum of 655363 packets in order to obtain and detect a
single successful opening, in the worst case scenario. That's
281,474,976,710,656 or over 281 trillion packets. On average, an attempt would
take approximately 9.2 quintillion packets to successfully open a single,
simple three-port TCP-only knock by brute force._

~~~
thomaslangston
Could you clarify your maximum packets math? You may have left out a word or
two.

~~~
srisa
Maximum packet maths came from the wikipedia entry.
[http://en.wikipedia.org/wiki/Port_knocking](http://en.wikipedia.org/wiki/Port_knocking)
. First two paragraphs under the "Benefits" section.

~~~
thomaslangston
I see.

You wrote:

"That equates to a maximum of 655363 packets in order to obtain and detect a
single successful opening."

They wrote:

"That equates to a maximum of 65536 ^ 3 packets in order to obtain and detect
a single successful opening."

------
oakwhiz
I wonder if some port knocking schemes can be attacked using a De Bruijn
sequence. If the firewall only examines the last N potential knocks amongst K
ports, sent from a given IP address, then every possible combination of knocks
can be bruteforced in just K^N knocks (by taking into account the existence of
every permutation as a subsequence within the De Bruijn sequence) instead of
the more obvious (K^N)*N knock solution (naively trying each permutation in
sequence.)

[https://en.wikipedia.org/wiki/De_Bruijn_sequence](https://en.wikipedia.org/wiki/De_Bruijn_sequence)

------
gmuslera
fwknop (
[http://www.cipherdyne.com/fwknop/](http://www.cipherdyne.com/fwknop/) ) uses
a single connection try (with certificates and that cannot be replayed even if
captured) to open a port. It adds another potential point of failure in your
chain to access, but if is simple and well tested enough could work as a
protection.

And the main reason to have port knocking (over, i.e. fail2ban) is not
stopping brute force attacks, but future vulnerabilties and exploits in
services that should not be used by the whole internet. If there are very few
persons, or machines that should connect to a service (and the origin IPs are
not fully known to enable just them in the firewall) putting a fwknop or
similar layer over that services should avoid external people to even try to
connect to those services.

And there actually had been vulnerabilities in ssh, vpns, puppet (a remote
code execution vulnerability for it has been patched this very week) and more
that could had been exploited before you knew about them.

Also, "plain" port knocking could be protected against brute force scanning by
having trap ports, if you hit them, then your IP is blocked. That won't
protect from MITM that see how you connect (NSA at the very least), but will
prevent scanning.

------
utnick
I see port knocking as protection against an 0day sshd exploit instead of
protection against brute forcing.

The article didn't really mention that angle.

------
antocv
That was a lot of words to encourage use of authors own tool instead of or
aside perhaps even with port knocking.

The article hasnt anyway delivered any meaningful reason not to use port
knocking, just a few straw-man arguments such as "most people only setup 3
port sequences".

The idea presented though is an interesting one, run your ssh on one port, and
when that one authenticates with any method, only then allow connections to a
second ssh on another port, which has perhaps only then begun listening or
being allowed to accept connections from that specific uid, and if that
authenticates then the user is in. Like having two gates infront of a city
instead of a secret handshake with 16 port sequences say.

