alexander Posted March 28, 2005 Report Posted March 28, 2005 Imgaine that a computer a your house programs are all the utilities, users are people that live there, windows are all the holes in the os and the size of the roof is the size of the GUI that it runs. Well, what are dors, easy enough, those have to be ports, and each house has 65500 of them, some closed, some not, but they are there. in eral life you can knock on a door in sequence, and someone inside will realise that that is someone knocking and may open the door, so is it possible to mimic the real-life behavior in the computer world? Ofcourse, there is a Linux project called port knocking that allows you to do just that :) "Port knocking (http://www.portknocking.org) is a method of establishing a connection to a networked computer that has no open ports. Before a connection is established, ports are opened using a port knock sequence, which is a series of connection attempts to closed ports. A remote host generates and sends an authentic knock sequence in order to manipulate the server's firewall rules to open one or more specific ports. These manipulations are mediated by a port knock daemon, running on the server, which monitors the firewall log file for connection attempts which can be translated into authentic knock sequences. Once the desired ports are opened, the remote host can establish a connection and begin a session. Another knock sequence may used to trigger the closing of the port." There are limitations though"Port knocking as desribed here is one implementation of a more general idea. It is not necessary for the firewall log file to be involved in the process. A robust implementation interfaces with the server's IP stack more closely. Nor is it strictly necessary for the knocks to come as a series of connection attempts. For example, the knock may be encapsulated in the data payload of a single packet that is sent to a closed port." so far there is a set of scripts for client and server, it is not an excuse to not have any more protection (otherwise you are just stupid), although generating a sequence of ports is a lot harder than using a regular password (because instead of possible 93 characters possible in a password you now have 65500 of them) Quote
alexander Posted March 28, 2005 Author Report Posted March 28, 2005 I guestimate that to get to a sequence of 12345 from 11111 with 93 characters, it will take you approximately 821938 isolations of incrementation by 1, while the same thing with even 60000 ports will take 2.1600720018*10^14 (i again guess, dont know the true math behind this (as i did not have time to research), so i used (a-1)*max_vals^4 + (b-1)*max_vals^3 + (c-1)*max_vals^2+ (d-1)*max_vals^1 + (e-1)*max_vals^0 which i came up with to model the program behavior where (abcde) can be expressed as (12345) a representing 1, b-2, c-3, ... etc) (if anyone wants to try it out pm me and i'll send you the C++ program to do something similar to trying to bruteforce a portknock, only it outputs the sequence vs constructing and sending the actual syn packet (actually my computer times it all out because it thinks that the program enters an infinite loop after the cpu runs at 100% for a few minutes (ps i tried it with 65500, you may get lucky with only 60000)):), also i attatched the python script i used to generate the results above, because i can be wrong, someone who is more mathemagically inclined and has more free time on their hands may tweak it up and make it calculate it all out the right way to get the 100% correct results, well even then it wont help as most brute attack scripts also use libraries of common keys, but that's not what's being discussed here...) Quote
nemo Posted April 7, 2005 Report Posted April 7, 2005 interesting, but i'm wondering what additional benefits port-knocking gives you. at the moment, if i was to connect to your server, i'd connect to an established port and provide authentication information over an encrypted channel: anyone on the outside would know that i'd connected, but all authentication information would be hidden. port-knocking would, by necessity, be visible to anyone sniffing beyond your external firewall; much like someone standing around the corner, listening to the 'secret knock'. after they know the knock, we are back to whatever authentication mechanism (username / password, whatever) you already had in place. i would imagine something like this would give fits to most anomaly detection engines, unless you continued to use the same sequence of ports, at which point the secret knock really isn't all that secret anymore. Quote
alexander Posted April 7, 2005 Author Report Posted April 7, 2005 interesting, but i'm wondering what additional benefits port-knocking gives you. at the moment, if i was to connect to your server, i'd connect to an established port and provide authentication information over an encrypted channel: anyone on the outside would know that i'd connected, but all authentication information would be hidden. port-knocking would, by necessity, be visible to anyone sniffing beyond your external firewall; much like someone standing around the corner, listening to the 'secret knock'. after they know the knock, we are back to whatever authentication mechanism (username / password, whatever) you already had in place. i would imagine something like this would give fits to most anomaly detection engines, unless you continued to use the same sequence of ports, at which point the secret knock really isn't all that secret anymore.ok, the first thin that i see sort of wrong is with sniffing by the external firewall, on your personal box, you probably should block all incoming traffic unless requested for by the systems on the inside, so sniffing past the wall would be problematic, port knocking allows you to dynamically alter the firewall settings for a certain period of time (you set), so for example you want to ssh into your box, you would port knock, if you have a standalone wall, you'd foreward a port to ssh on your server (and open it), if someone is scanning your network at that moment, they will be able to see the forwarded, open port open, and they'd be hitting your 22 on the server. You are absolutely correct about someone sniffing the syn traffic coming into your box, you could however write a script to dynamically alter the knock every time you sucessfully connect and write it to a file on the server that you (as an admin) can cat to get the sequence. Also port knocking is only another security measure, not the only one that you should have on a server (because it would be plain stupid to use port knocking as the only protection ;)) Quote
nemo Posted April 9, 2005 Report Posted April 9, 2005 It seems like an awful amount of work for what you're trying to accomplish... Perhaps you could get the same effect from one packet, as described in the Loki Whitepaper at Phrak. That would at least make it harder to see through the ordinary traffic on the outside. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.