[olug] Portknocker (from OLUG mtg/presentation)

Thom Harrison id4spam at cox.net
Thu Jun 3 02:27:57 UTC 2004 

Jay,

>From www.portknocking.org:

"Without being able to determine the sequence by probing,
intercepting the sequence by listening to network traffic is another
method that can be employed. If you are knocking on your server and
someone monitors your connection attempts they could duplicate your
knock and gain access. This vulnerability can be addressed by (a)
incorporating the IP to be allowed in in the knock sequence and (b)
encrypting the knock sequence. If this is done, even if the sequence is
intercepted and executed by a third-party there would be no harm since
the encrypted IP address has not been altered. In order for the IP
address to be modified, the knock sequence would have to be decrypted,
using knowledge about the method of encryption - very unlikely. Maximum
protection can be achieved by using one time pads for encryption of the
knocks.

In the unlikely event that someone gains knowledge of a knock
sequence and gains access to an open port, they are still faced with
getting past the authentication required by the listening application.
Port knocking is an additional security layer and does not replace
existing application security. It provides a stealthy way to carry out
network authentication in complete privacy. If encrypted knocks are
used, an additional level of protection is achieved, hardening any
network host's services against attacks."  - Martin Krzywinski



The newest portknocking script that Martin has can also factor in some unit of time ( month, day, hour, etc... ) that further inhibits the usefulness of capturing your portknocking sequences.  What works one hour, won't work the next even from the same location.

Thom


Thom Harrison wrote:

> Jay,
>
> Good question. By encoding the client's IP within the knock sequence, 
> you're ensuring that the same sequence of numbers can't be used 
> elsewhere successfully. For instance, if you'd recorded the sequence 
> of numbers I'd sent at the OLUG meeting and retransmitted them from 
> your home it would only allow the OLUG meeting site to connect.
>
> Basically, the server allows access to the IP encrypted within the 
> sequence, totally disregarding the actual source IP.
>
> Without the IP being encrypted within the sequence, what's to keep the 
> same knock sequence from working at another location?
>
> Using my knockmenu script, I could actually authorize access for an IP 
> other than my own by entering ( your home's IP for instance ) as the 
> client IP. This would allow you to access my knock server.
>
> Thom
>
> Jay Hannah wrote:
>
>>
>> Hey, wait a minute...
>>
>> Why does the client need to figure out it's IP?
>>
>> The daemon just received the knock -- why doesn't it just open up 
>> connections from whatever IP knocked successfully?
>>
>> j
>>
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> http://lists.olug.org/mailman/listinfo/olug
>>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug
>

More information about the OLUG mailing list