# port knocking

## iplayfast

Slashdot recently had an artical about the use of port knocking to aid security. Basically it uses a series of closed port connection attempts to open a secure port which would not normally be open. http://www.linuxjournal.com/article.php?sid=6811&mode=thread&order=0 and www.portknocking.org have articals about it.

My question is, has anyone using Gentoo actually tried this, and are there any opinions as to how effective it is. It sounds good to me, but experience is often a better indicator.

If you have used it, how did you set it up? Any special tricks/conditions?

----------

## Immortal Q

I would love to try it - perhaps somebody with some free time could write a nice daemon?  Something I could tie shell scripts to?  I don't have enough programming/scripting experience to do it myself (yet) but I would be hapy to debug and experiment with someone else's attempts.

----------

## triwebb1

There is a set of Perl scripts on portknocking.org.  Click on "download" on the left side of the screen and the on the link to download.  I would give it a shot, but I really don't have any use for it.  I do like the concept though.

----------

## BlinkEye

sounds like a good idea. i see one downside though: one must use his own custom config file. but there are so many possibilities of creating a port knocking sequence it would really slow down an attack

----------

## iplayfast

I recently read an artical that  explained that port knocking (which is accessing a sequence of open or closed ports in a predetermined order to open a closed port) is a system which relies on security through obsecurtity.  If all computers used portknocking then the chances of a hacker trying to hack using portknocking goes up, since it is the expected method of security. Assuming this portknocking ends up being just a method of password, with the same security problems that normal passwords have.

I can see this, but I can also see an interesting solution. 

You leave the port open that specifies the date and time.  You ask the "secure" computer for the time,  and round to the nearest 5 minutes.  Take this time as an integer and feed that through an CRC type algorithm along with a machines password.  Use the resulting number as a seed to a random number generator, access the ports specified be the first N digits returned by the random number generator modified by an xor of the machines password on each digit. 

This method is like having two passwords, the first is the machines password, the second is derived by the datetime run through the CRC algothm. As the datetime is always changing, the password is always changing as well. 

Any thoughts?

----------

## nielchiano

 *iplayfast wrote:*   

> I recently read an artical that  explained that port knocking (which is accessing a sequence of open or closed ports in a predetermined order to open a closed port) is a system which relies on security through obsecurtity.  If all computers used portknocking then the chances of a hacker trying to hack using portknocking goes up, since it is the expected method of security. Assuming this portknocking ends up being just a method of password, with the same security problems that normal passwords have.

 

True, but with one difference: There is now way a hacker can know what is going on... a portscan won't return anything, since a good knocking-daemon should detect those and don't do a thing (hopefully noone will be stupid enough to take sequence 18,19,20,21 to open 22)

So in order to just SEE what the machine is running, he has to try ALL ports (65535 posibilities) with ALL knocking sequences (say exactly 2 knocks, that gives 4294836225 posibilities PER PORT = 281462092005375)

And this with a reasonable time in between.

If the daemon says, eg: if more than 4 packets are received per second that do not form a sequence, ignore for 5 minutes; the atacker can only try 2 posibilities per second: which would take a little more than 4462552 years)

So, yes, it's like a password, but one typed on a keyboard with 65535 keys on it, arbitry length and limited type speed...

Sure you can brute force it, but you'll better start to think about children and grand-grand-grand childeren  :Wink: 

for reference:

a 1 knock:

better than a 'letters-only' password of length 3

better than a 'lEttErS-WitH-CaPS' password of length 2

better than a 'l3ttErs-W1th-d1GitS' password of length 2

a 2 knock:

better than a 'letters-only' password of length 10

better than a 'lEttErS-WitH-CaPS' password of length 8

better than a 'l3ttErs-W1th-d1GitS' password of length 8

a 20-char-'l3ttErs-W1th-d1GitS' password is better than 7-knock sequence

PS: THE ABOVE CALCULATIONS ARE MADE UNDER THE ASUMTION THAT PASSWORDS/SEQUENCES ARE RANDOM; brute-forcing is trying every possible combination; and the right one might as well be the first one they try

----------

## kalisphoenix

I've developed a recent interest too after worms decided to check how much of a dork I was (ie, checking for usernames with matching passwords, heh).

iplayfast, I dig your idea.

----------

## iplayfast

nielchiano You are right. (With one minor correction). You can't use all 65535 ports in port knocking since you might actually want some of those for other reasons. 

But your explanation certainly made sense to me. 

I am in no way a security expert. So I leave that to others who have much more experience then I.

----------

## nielchiano

 *iplayfast wrote:*   

> nielchiano You are right.

 

of course i am  :Wink:   :Razz:   :Laughing: 

 *iplayfast wrote:*   

> (With one minor correction). You can't use all 65535 ports in port knocking since you might actually want some of those for other reasons.

 

Partialy true, there is absolutely no reason why you can't "knock" on an open port; sure the service will respond, but the knocking-daemon will see your "knock"

But you're right that knocking on an open port isn't ideal... but it's possible

----------

## pianosaurus

 *nielchiano wrote:*   

> Partialy true, there is absolutely no reason why you can't "knock" on an open port; sure the service will respond, but the knocking-daemon will see your "knock"
> 
> But you're right that knocking on an open port isn't ideal... but it's possible

 

It's not ideal, but that actually makes the idea even better (assuming that it isn't a problem for the service on the open port). An intruder would be right more often than not when assuming that an open port is not used for knocking.

I'm going to implement this on my server right now. I also thougt I'd add a ping to the knock sequence (that will be answered). This ping will have to be padded with a preset amount of bytes, and my script will check the size of the packet.

Also, I will not log it to a file to have a script tail it. Instead, I'm going to tell syslog-ng to forward those firewall logs directly to a script.

Any thoughts on this?

----------

## nielchiano

 *PingPong wrote:*   

> Any thoughts on this?

 

yes: send it to me when it's (almost) done!

looks good

----------

## pianosaurus

 *nielchiano wrote:*   

>  *PingPong wrote:*   Any thoughts on this? 
> 
> yes: send it to me when it's (almost) done!
> 
> looks good

 

Will do  :Smile: 

----------

## pianosaurus

 *PingPong wrote:*   

> Will do 

 

I take that back. There's not much point. This seems to do pretty much what I had in mind.

I think I'm going to make something that enables me to open a port simply by using the ping command. This would enable my server users to open ports from windows too, by generating packets of a certain size in a certain sequence (that might change with the time/date) without the need for a special client.

That happens tomorrow. Now I'll need some sleep. I'll post my results.

----------

## steelrat

no offence, but it sounds like you're missing the point.

besides, most popular scanning methods start with an icmp echo to check to see if the host is up.

looks like at the end of the day you have a coupld interesting options:

cryptknock which uses an encrypted knock to make the knock invulnerable to replay attacks.

or

doorman which is the more usual type of portknocker and even has windows clients.

..or go to portknocking.org and gram some perl.

please do have an idea of why you want to do portknocking though   :Cool: 

----------

## Valhlalla

This is a good idea, I would also stress the part that you can add all sorts of common attack atempts to a list of banned ip's. This makes the brute force approach very unapealing.

[edit] particualrly because you wont know at what point you have been locked out and for how long. so you might say try port 1,2,3,4 that locks you out. then you try 2,4,3,1 say that is the correct knock, but you still have to try that again 1 hour later for it to open a port. very unlikley.

----------

## pianosaurus

 *steelrat wrote:*   

> no offence, but it sounds like you're missing the point.

 

My point is certainly different from ordinary portknocking, but if everyone needs a client to portknock, it's useless on systems that needs to be accessed from a random computer in the field (which is what I need).

 *steelrat wrote:*   

> besides, most popular scanning methods start with an icmp echo to check to see if the host is up.

 

Yes. I'm sure they ping you with a sequence of differently sized packages too, just in case it matters, right? Wrong.

Of course I rely on the assumption that an intruder wouldn't know I used this technique. But I also think that would be a pretty safe assumption.

----------

## nyteryda

you have to be carefull with your (and the daemons) code though or you will end up createing a good way for a DoS attack because you will be processing more heavly on portscans. 

Also a buffer overflow would be hillarious as people could be able to break into a system with no open ports... (but that would just be stupid)

----------

## pianosaurus

 *nyteryda wrote:*   

> you have to be carefull with your (and the daemons) code though or you will end up createing a good way for a DoS attack because you will be processing more heavly on portscans. 
> 
> Also a buffer overflow would be hillarious as people could be able to break into a system with no open ports... (but that would just be stupid)

 

Good point. The iptables helps out there. Limit the log-chain to a few packets every second. You might lose some information, but it's better than getting DoS attacks.

----------

## groovin

security through obscurity....

i guess you can say that... but to me, security through obscurity really means that you are trying to mask your vulnerabilities by simply not telling anyone about it (ie MS' past handlings of bugs). if i am running a service say ssh, that is patched and secure against all known exploits and i decide to use portknocking, i think thats just adding another layer of security, not necesarily sec through obsc. but yes, the line that is drawn is thin. now if i just used port knocking because it is easier than patching, thatd be a different story.

PingPong, 

couldnt you just whip up your own client on the fly? AFAIK, the knockd listens and when it hears the right sequence, it executes some command, like creating a firewall pass rule. so, say you were on a windows computer, couldnt you just write up a quick .bat file that used telnet to send the packets? like... 

c:\>telnet 

> open 1.2.3.4 444 

> open 1.2.3.4 12324

and so on.  i havent tried this so im not sure if itd work.

----------

## pianosaurus

 *groovin wrote:*   

> PingPong, 
> 
> couldnt you just whip up your own client on the fly? AFAIK, the knockd listens and when it hears the right sequence, it executes some command, like creating a firewall pass rule. so, say you were on a windows computer, couldnt you just write up a quick .bat file that used telnet to send the packets? like... 
> 
> c:\>telnet 
> ...

 

I was thinking of this, but is telnet really a part of any windows installation? If it is, then yes. If not,  I was going to do the same thing you suggested with pinging. You can set the packet size in the ping command, and it would have the same effect as portknocking (listening for a sequence of packet sizes). But I'd prefer knocking on ports. Can you (or anyone) confirm that telnet is built in to windows? If so, what versions?

I guess you could do this with any ssh client, but it would be hard to batch it with putty (i think that is what my clients use).

----------

## groovin

every default install of windows i have done has had telnet in it. I just tried 2 XP machines, 2 win2k, and one NT and they all had telnet. so i guess the admin removes it from the install him/herself, a default windows install should have it.

----------

## OdinsDream

I fail to understand why anyone claims portknocking to be an example of "security through obscurity." What I gather thus far is people notice this fantastically simple, genuinely unique and useful idea, and want to find a flaw in it. This is the best they come up with. It is not "obscurity."

Imagine a wall of 6,000 red unlit buttons evenly spaced. They open a door, if you press the right ones in the right order, but if you mess up during the sequence, you have to start all over. This is port knocking. You have no idea where to start, how many times to press each button, and how long the sequence is. You have no way to get feedback about your progress (as you would with tumbler-locks, which are also Not security-through-obscurity).

Yet, you can be completely aware of the "code" behind this lock. I can tell you:

Someone is behind that wall, watching the buttons as they light up bulbs. This person knows exactly how many times each bulb should light, and which one should light first, second, third, and so forth.

So, the -way this works- is completely unobscured. Yet, it is still extremely good security.

This, and even when you're finally in the door, you're only just as well off as you would have been without using portknocking at all.

----------

## OdinsDream

 *groovin wrote:*   

> every default install of windows i have done has had telnet in it. I just tried 2 XP machines, 2 win2k, and one NT and they all had telnet. so i guess the admin removes it from the install him/herself, a default windows install should have it.

 

I'm sure you could find some online telnet clients, if you really needed to. I've always been able to download and run Putty when I came across a "secure" windows computer whose administrator had disabled the commandline.

----------

## nielchiano

 *OdinsDream wrote:*   

> I fail to understand why anyone claims portknocking to be an example of "security through obscurity." What I gather thus far is people notice this fantastically simple, genuinely unique and useful idea, and want to find a flaw in it. This is the best they come up with. It is not "obscurity."
> 
> Imagine a wall of 6,000 red unlit buttons evenly spaced. They open a door, if you press the right ones in the right order, but if you mess up during the sequence, you have to start all over. This is port knocking. You have no idea where to start, how many times to press each button, and how long the sequence is. You have no way to get feedback about your progress (as you would with tumbler-locks, which are also Not security-through-obscurity).
> 
> Yet, you can be completely aware of the "code" behind this lock. I can tell you:
> ...

 

or in short: it's a kind of password, using an "alphabet" of 65535 letters instead of the usual 62 (A-Z, a-z, 0-9).

It can consist of an arbitry number of characters (ports).

----------

## OdinsDream

 *nielchiano wrote:*   

> or in short: it's a kind of password, using an "alphabet" of 65535 letters instead of the usual 62 (A-Z, a-z, 0-9).
> 
> It can consist of an arbitry number of characters (ports).

 

brevity is the soul of wit.

----------

## nielchiano

 *OdinsDream wrote:*   

> brevity is the soul of wit.

 thx  :Wink: 

----------

