Open phinjensen opened 7 years ago
phinjensen
commented
7 years ago original author: Haruchai
date: 2009-11-17T21:50:29-05:00This is worth a read: http://www.cipherdyne.org/fwknop/
It argues for Single Packet Authorisation over knock sequences.
phinjensen
commented
7 years ago original author: Jon Jensen
date: 2009-11-17T23:18:07-05:00Nice overview of port knocking, Greg. Aren't there port-knocking clients out there too, so you don't have to manually telnet to the ports in the right order?
I like to be careful about how I disallow access to a particular TCP port to the world. Simply dropping all packets makes a "hole" in the responses of your TCP ports which a port scanner can easily see.
Normally a TCP port without any listening service will send a TCP RST response, saying there's nothing there. Dropping the packet entirely says clearly "I'm blocking this with a firewall so it may be really interesting to investigate further".
For example, you could do something like:
-A INPUT -p tcp -j REJECT --reject-with tcp-reset -A INPUT -p udp -j REJECT -A INPUT -j DROP
Using a default -j REJECT on a TCP port also results in abnormal behavior, sending an ICMP port unreachable reply instead of a TCP RST, hence separate rules for each protocol type.
Checking with nmap or similar, that looks a lot more like a server not specifically blocking port 22, but just not running sshd there.
phinjensen
commented
7 years ago original author: Greg Sabino Mullane
date: 2009-11-18T09:51:09-05:00Haruchai, thanks for the link. The only thing I don't like about implementations such as that one is the need for a custom client to do the authentication. Whereas with generic port knocking you can use ping, telnet, and other standard tools likely to be on any box you are on. Looks like fwknop is a neat idea though.
phinjensen
commented
7 years ago original author: Greg Sabino Mullane
date: 2009-11-18T09:53:08-05:00Jon, yes, knockd comes with a simple "knocker" client, but I prefer telnet as I don't have to worry about if the machine I happen to be on has knockd installed or not. Plus, I can make a bash alias, so it's not much typing at all.
Interesting example about the response, but overall I'm not too worried about revealing much extra information that way. These days, a server not running something on port 22 is already "interesting", no? :)
phinjensen
commented
7 years ago original author: Jon Jensen
date: 2009-11-18T10:39:23-05:00Ok, Greg, then consider it an argument in favor of consistency. Do you really want to get a hanging connection attempt using ssh to the machine before you portknock, but get a normal immediate disconnect when going to other closed ports? It just feel lame to me to DROP certain ports but leave others at the default reset behavior.
phinjensen
commented
7 years ago original author: Greg Sabino Mullane
date: 2009-11-18T10:42:54-05:00Jon:
I do love consistency in my servers (/me waves to puppetd). Point taken, I'll adapt your changes.
phinjensen
commented
7 years ago original author: Jon Jensen
date: 2009-11-18T10:59:34-05:00Heh, ok.
I should note that half the reason I wrote about this here is I expect some reader to point out how the iptables rules I gave still make it possible to detect iptables' involvement, compared to a bare TCP stack. Come help me, internets! How can this be improved?
phinjensen
commented
7 years ago original author: Ezekiel
date: 2010-01-20T12:02:36-05:00http://www.thoughtcrime.org/software/knockknock/
"knockknock is a simple, secure, and stealthy port knocking implementation that does not use libpcap or bind to a socket interface."
Very Interesting.
Comments for https://www.endpointdev.com/blog/2009/11/port-knocking-with-knockd/ By Greg Sabino Mullane
To enter a comment: