Post 9vX08ONb4bIa0Ksaae by ckoul@fosstodon.org
(DIR) More posts by ckoul@fosstodon.org
(DIR) Post #9vSpMvELr4XZodRPOq by mike@fosstodon.org
2020-05-27T06:49:33Z
0 likes, 0 repeats
Day 32 of the #100DaysToOffload series:Port knocking is really something I expected to take off like wild fire, but it never did. Hard to believe for such a cool idea.https://mikestone.me/port-knocking
(DIR) Post #9vSt5V6A9yQJf7YjQ0 by ElectronStudio@fosstodon.org
2020-05-27T07:30:18Z
0 likes, 0 repeats
@mike I think it didn’t take off because it’s security through obscurity and so you can’t rely on it as your only authentication. You still need a password/key and if you want to increase security it’s easier to make the password longer then to implement port knocking. Also if you do control the firewall, in most cases it’s easier and safer just to whitelist IPs.
(DIR) Post #9vT1h7Mje3c6h5l7Sa by ckoul@fosstodon.org
2020-05-27T09:07:33Z
0 likes, 0 repeats
@mike Maybe because it is susceptible to the same weakness as knocking with a pattern on an actual door. Nearby "listeners"! 👂 Sure it is an extra measure against certain categories of attacks but not a generic one.
(DIR) Post #9vTHMMfx7tsDMWsF84 by d4klutz@fosstodon.org
2020-05-27T12:02:30Z
0 likes, 0 repeats
@mike wow! I hvae never heard of this. I wish it had taken off.
(DIR) Post #9vTfqujrRXHYaunmW8 by mike@fosstodon.org
2020-05-27T16:37:39Z
0 likes, 0 repeats
@ElectronStudio It was never intended to be used as a singular means of authentication, and usernames and passwords were still required. Increasing the length of the password is completely separate and could still be done with a port knocking solution in place. For that matter, port knocking could still be used with a username and password and most of the modern day 2FA solutions in place. It's entirely distinct from all of them.
(DIR) Post #9vTiOG55JVVeFckyQq by mike@fosstodon.org
2020-05-27T17:06:05Z
0 likes, 0 repeats
@ckoul A simple rotation of ports similar to what we see in a modern 2FA solution would solve that problem. Even if the "code" was in the clear, security wouldn't be worse than it is now. That's the part I don't understand about this. Every weakness that can be pointed out about port knocking doesn't make security worse than the current configuration, just the same.
(DIR) Post #9vTo0tdrAvZvioGS2q by ataraxia937@fosstodon.org
2020-05-27T18:08:47Z
0 likes, 0 repeats
@mike Fun fact, the "knockd" implementation was written by Judd Vinet, who also founded Arch Linux.
(DIR) Post #9vUlLzEzRr5oSmxT3g by ckoul@fosstodon.org
2020-05-28T05:14:01Z
0 likes, 0 repeats
@mike Then we 're adding a little bit of complexity (communicate the pattern). Security is not worse in any case, as you point out, but the main threats that port knocking is good at (brute force attacks and denial of services) are also easily handled by other means (fail2ban, LIMIT firewall rule).Is there another strong point in favor of port knocking I am missing?
(DIR) Post #9vWtfJu42OjVzxotI8 by mike@fosstodon.org
2020-05-29T05:56:28Z
0 likes, 0 repeats
@ckoul Sorry about the slow response. Not feeling great right now and I'm falling behind.Strong point? Strong is subjective, but I would say that using a port knocking solution shields your systems from much of the "recon" that hackers do that wouldn't be caught by things like fail2ban. You can't tell is the OpenSSH service on the system is the one with the 0 day vulnerability because it's hidden from anybody that doesn't have the sequence.
(DIR) Post #9vWtokZ2HaVdI9TrEW by pcrock@fosstodon.org
2020-05-28T05:47:40Z
0 likes, 0 repeats
@ckoul @mike The complexity point is valid. On a LAN I just want to run `ssh servername` and do my work with the usual security mechanisms. If the connection fails for some reason, I could see it being more difficult to troubleshoot with port knocking enabled.On the Internet, you're often dealing with dedicated firewall devices. I could see port knocking being more useful there, but you'd have to convince firewall vendors to support it.An alternative intriguing idea: Tor hidden services.
(DIR) Post #9vWtokibi0AJlpxV9U by mike@fosstodon.org
2020-05-29T05:58:16Z
0 likes, 0 repeats
@pcrock The complexity is a fair point, but it's also fairly easy to work around since port knocking is so easy to automate. Earlier I saw a one line script that automated a port knocked SSH connection. Can't seem to find it now, because now would be the best time to have that reference, but such has been my day.@ckoul
(DIR) Post #9vX08ONb4bIa0Ksaae by ckoul@fosstodon.org
2020-05-29T07:08:58Z
0 likes, 0 repeats
@mike I wish you'll feel great again after a good night sleep! :)You're right that 0-day vulnerabilities is +1 in favor of a port knocking implementation.I am trying to think of a relatively simple/robust way for my port-knocking service to communicate the periodically or rule-based changing pattern to several potential consumers (human operators, automated services, scripts etc) and can't come up with one; not implying there isn't. @pcrock
(DIR) Post #9vXlsANGpSeFksFDrE by mike@fosstodon.org
2020-05-29T16:03:51Z
0 likes, 0 repeats
@ckoul I'd assume the technology and methods currently being used for many 2FA solutions would work quite nicely. Given a wide enough range of ports for the knocking solution, you could even grant access on a user by user basis, assuming you have a small enough user base. Obviously that would get less and less viable as the user base increased in size. Also, I'm still working on my first cup of coffee. That might not make sense at all later.@pcrock
(DIR) Post #9vZ7nDfDZ0k8eue4uW by Agentshadow@fosstodon.org
2020-05-30T07:43:43Z
0 likes, 0 repeats
@mike I'm a noob when it comes to Linux, but I do run a Team Speak server and would love to somehow figure out how to port knock the ports in my router with the Team Speak App and on the Windows computer.