[Melbourne-pm] Knockd for Web

scottp at dd.com.au scottp at dd.com.au
Mon Jun 1 22:46:28 PDT 2009

----- "Daniel Pittman" <daniel at rimspace.net> wrote:
> Given that port knocking is just another way of delivering a password
> to the
> destination system, there is no security difference between it and
> just using
> the password in the vast majority of cases.

Sorry this is very inaccurate Daniel. There are many reasons for that, but here are a few:

* As your port is closed - you suffer from none of the DoS attacks to your service (e.g. SSH)
* As your port is closed - you suffer from none of the buffer overrun, or various other back door and bugs in your daemon
* As your port is closed - you don't even look like you are there - not even a response from your IP, no scan as the ports are closed, so unless you know to attack that location, you won't even try.

The knock can also even be a one time key - obviously you need some way to know the next/ time based entry, which would not suit me.

> Using existing, well tested security mechanisms like SSL is almost
> certainly
> going to beat out building your own.

As with the documentation of knockd, it is not about replacing the need for good security via SSL and passwords. This is not, as you suggested, a replace your authentication with a roll your own. Knockd is a well established and commonly used tool to add a layer to that security. But also the purpose of this mail was not to write my own - but to find one that was, write only if I have to.

There are a number of problems also with using SSL. The purpose of my requirement is to allow me access with my own knowledge, from an unknown location. The example given to me was that your laptop, desktop and usb key get stolen over night. Or you just plane forgot your usb key and laptop :-)

Finally, there has been a number of attacks and holes in Apache SSL implementations over the years - if you have an admin service you don't need to give access to (i.e. not a public site) then blocking even access to the service is a good idea.

The kernel via iptables can throw away packets far faster than a connection to Apache - thus you are reducing the DoS attacks as well.

If you have security monitoring tools, you can even use knockd technique to reduce the reports of automatic or scripted attacks to those that are serious. Logs are just full of script kiddies attacks - so much so that you can't even see the serious ones.
> Finally, if you are in sufficient control of the destination system
> and
> userbase to require port knocking you can almost certainly just use
> client-side SSL certificates for authentication.

Yes. You can of course just use basic auth - thehehe. You can use what you like. But clearly my requirements were not clear enough, as that would not meet the needs.

> Those provide zero-knowledge proof of possession over the Internet
> without
> *any* reasonable risk of attack.

The security experts seem to disagree. Indeed, if all you say is true, we can throw away iptables and firewalls :-)

Some references for you:
* http://www.serverwatch.com/tutorials/article.php/3625276
* http://www.zeroflux.org/projects/knock

In the end adding a layer of security can not be "the same" as not adding that layer. My need here is to provide the same established security of knockd to web services via proxies.

scottp at dd.com.au

More information about the Melbourne-pm mailing list