[Melbourne-pm] Knockd for Web
scottp at dd.com.au
Tue Jun 2 03:38:27 PDT 2009
On 02/06/2009, at 8:14 PM, Daniel Pittman wrote:
All what you wrote above (removed) is reasonable. I only differ very
slightly in opinion, not enough to worry about :-)
>> The security experts seem to disagree.
> Ah. I thought you were going to post links to disagree with the
> claim that
> SSL is reasonable secure.
Oh no. Sorry I didn't mean to imply any one way or the other about SSL
security. In fact in a different circumstance (e.g. an admin web
interface for a company) I would be using certificates as auth.
>> Indeed, if all you say is true, we can throw away iptables and
>> firewalls :-)
> That certainly isn't my argument, and I am vaguely surprised you found
> anything to support a belief that it was in what I wrote. :)
Quite right, I was going a little over board to make a point. What I
had missed from your previous post sorry, was that you were using an
SSL certificate to then open a firewall port (e.g. to SSH). My
personal conclusion, after reading what a number of experts have to
say, is that it is not as safe as having no open ports. Having that
one service (e.g. an SSL server) makes the machine vulnerable. You did
talk in the deleted section about security of knockd - and it does
have to run as root, but accepts no user input - so while there is a
potential for DoS (although very small in compared to any socket
interface), it is not likely to have any other hole. Of course...
famous last words :-)
> My contention, for what it is worth, is that you gain as much
> security using a
> more common method such as SSH or SSL secured HTTP to perform the same
> authentication collection as the knock service.
Thanks Daniel. I am afraid I still want to block all open ports with
iptables, so no open SSL or SSH connection, plus as I originally
mentioned, I am coming in from networks that don't support anything
but HTTP via a proxy. Which leaves me still with a way of "knocking"
via a firewall - for which a CGI type solution may work. And because
it still then uses secure passwords over SSL I can probably be
confident that it is good enough. Which is what security is all about,
there is no perfect solution, just tools.
Which comes around full circle back to my original question, which is
probably no, has anyone seen an existing script. Yes I can write it
easily (And Daniel did too), but I like to find someone who has found
all those hidden issues I have not yet thought of.
More information about the Melbourne-pm