[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Port Knocking on openBSD?

To: Magnus Bodin <magnus@bodin.org>
Subject: Re: Port Knocking on openBSD?
From: Adam Skutt <askutt@wnec.edu>
Date: Fri, 06 Feb 2004 08:41:40 -0500
Cc: misc@openbsd.org
References: <Sea2-F66LV47ozI9Wbb0000cf39@hotmail.com> <4022CA81.9040702@monkey.org> <20040206084853.GC24685@bodin.org>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6b) Gecko/20031221 Thunderbird/0.4

Magnus Bodin wrote:
> On Thu, Feb 05, 2004 at 05:58:09PM -0500, Rick Wash wrote:
> 
> 
> But if you don't want to expose any tcp-ports at all, that includes port 22 as
> well. And if you are on the move and cannot guarantee that ah/esp et al is even
> transported then one alternative is to hide.

Why should I care about exposed ports?  Security arises not out of how 
many ports are being shown or not shown, but rather how secure the 
servicse behind them are.  It doesn't matter if all my ports are open if 
the services running them have no security flaws ( a pipe dream, but 
illustrates the point).

> 
> I personally don't like the "port-knocking" way of doing it and the
> implementation itself so I wrote a simple script myself that
> 
>     1. use Net::Pcap and listen for ICMP echo req.
>     2. if a valid combination of uid + one time password
>          flies by in the PAYLOAD of the ICMP, then insert ip in 
>          a special pf-table (so she will get access to tcp/22).
>     3. check regulary for table-entries that has had no valid connection
>        for a couple of minutes and remove them from the table.
> 
> Pretty trivial and effective and a good complement to authpf, actually. 
> If any is interested I can wrap it up in a package.

This is a far smarter idea then a port-knock ( a poor idea at 
masquerading at a port scan), but still has the same problem: its just 
obscuring things, and it may draw more attention then just making an SSH 
connection.  Why?  Because a ping packet large enough to contain a 
username and a one-time password are larger than most, and any one 
monitoring your network, looking for a way in, will see that as a big 
red flag.

> 
> I trust OpenSSH as I trust my ASSA Twin-lock on my house, but only those who
> walk upfront my yard will be able to test their lock-picking abilities to it. 
Living back in the woods (which is what your little thing does), but it 
doesn't make it that much harder to find you house, if I have any desire 
to get in.
> 
> If it's possible to hide my tcp/22-port from occasional portscan-kiddies,
> that would be a way of lowering the risk even more.
> 

How?  What risk does it lower?  What do you lose from a portscan, 
besides a tiny bit of network traffic?  You still haven't explained how 
this increases teh security of your box.

-- Adam

Follow-Ups:
- Re: Port Knocking on openBSD?
  - From: Greg Thomas <getbsd@sbcglobal.net>
- Re: Port Knocking on openBSD?
  - From: Magnus Bodin <magnus@bodin.org>

References:
- Port Knocking on openBSD?
  - From: "Mathieu Parent" <mathieu_parent@hotmail.com>
- Re: Port Knocking on openBSD?
  - From: Rick Wash <rwash@monkey.org>
- Re: Port Knocking on openBSD?
  - From: Magnus Bodin <magnus@bodin.org>

Prev by Date: Re: Dsniff:urlsnarf report
Next by Date: btw, if dot in username, need colon in chown command
Prev by thread: Re: Port Knocking on openBSD?
Next by thread: Re: Port Knocking on openBSD?
Index(es):
- Date
- Thread