[Melbourne-pm] Knockd for Web
Toby Corkindale
toby.corkindale at strategicdata.com.au
Tue Jun 2 21:10:49 PDT 2009
Scott Penrose wrote:
> ----- "Sam Watkins" <sam at nipl.net> wrote:
>
>> People at your ISPs could still pretend to be you after you have
>> knocked
>> by spoofing IP addresses, so it's important of course to use crypto
>> after that too.
>
> Yes, you must have as much security you would normally anyway.
> For example, an SSH key and no root login is still a good idea.
>
> But also, like all security, it is about context and opportunity. If I am in a cafe in Melbourne and port knock on my web site. Yes the cafe, the ISP and my ISP could see that sequence - all very low risk. I am not sure about you guys, but my attacks are not coming from Melbourne ISPs :-) So it still helps. And then of course all I am doing is then opening a port which would otherwise have been open anyway, and still using normal login measures.
>
>> I guess the advantage of knockd is that you can easily "knock" with a
>> web browser or telnet or whatever you don't need a special client
>> which
>> does crypto. (but ssh/putty is very portable, and you'll most likely
>> be
>> needing it anyway)
>
> Yes, so I imagine the scenario that I have my secure key with me (Either SSL key for HTTPs or SSH key) on a key, I download putty, I open my port to the Internet Cafe (just a silly example) - and now I have access to my server.
So...
How does the port knocking /stop/ such attackers? I mean, you seem to be
assuming that your attackers can bypass your existing authentication
mechanisms on ssh. If they can do that, then surely they will find it
absolutely trivial to capture a few packets indicating which ports to
knock upon too?
I can't help but feel that your time would be more effectively spent in
other ways to increase your security - eg. Auditing your CGI scripts,
keeping track of new exploits, carrying hardcopies of server cert
fingerprints, automated warnings about suspicious activity, seLinux,
appArmour, honeypots, tripwires, and god knows what else that more
paranoid people than I can recommend.. and only worrying about your
security-through-obscurity once you've exhausted the mountain of
security-through-security methods available ;)
More information about the Melbourne-pm
mailing list