[Melbourne-pm] Knockd for Web

Simon Taylor simon at unisolve.com.au
Tue Jun 2 21:31:05 PDT 2009 

Hello all,

> Scott Penrose wrote:
>> ----- "Sam Watkins" <sam at nipl.net> wrote:
>>
>>> People at your ISPs could still pretend to be you after you have
>>> knocked
>>> by spoofing IP addresses, so it's important of course to use crypto
>>> after that too.
>>
>> Yes, you must have as much security you would normally anyway.
>> For example, an SSH key and no root login is still a good idea.
>>
>> But also, like all security, it is about context and opportunity. If 
>> I am in a cafe in Melbourne and port knock on my web site. Yes the 
>> cafe, the ISP and my ISP could see that sequence - all very low risk. 
>> I am not sure about you guys, but my attacks are not coming from 
>> Melbourne ISPs :-) So it still helps. And then of course all I am 
>> doing is then opening a port which would otherwise have been open 
>> anyway, and still using normal login measures.
>>
>>> I guess the advantage of knockd is that you can easily "knock" with a
>>> web browser or telnet or whatever you don't need a special client
>>> which
>>> does crypto.  (but ssh/putty is very portable, and you'll most likely
>>> be
>>> needing it anyway)
>>
>> Yes, so I imagine the scenario that I have my secure key with me 
>> (Either SSL key for HTTPs or SSH key) on a key, I download putty, I 
>> open my port to the Internet Cafe (just a silly example) - and now I 
>> have access to my server.
>
> So...
> How does the port knocking /stop/ such attackers? I mean, you seem to 
> be assuming that your attackers can bypass your existing 
> authentication mechanisms on ssh. If they can do that, then surely 
> they will find it absolutely trivial to capture a few packets 
> indicating which ports to knock upon too?
>
> I can't help but feel that your time would be more effectively spent 
> in other ways to increase your security - eg. Auditing your CGI 
> scripts, keeping track of new exploits, carrying hardcopies of server 
> cert fingerprints, automated warnings about suspicious activity, 
> seLinux, appArmour, honeypots, tripwires, and god knows what else that 
> more paranoid people than I can recommend.. and only worrying about 
> your security-through-obscurity once you've exhausted the mountain of 
> security-through-security methods available ;)

Using knockd is emphatically not security through obscurity. As Scott 
has said, all of your normal security infrastructure remains in place.

In our uses of it, we routinely have HID systems like psad and ossec 
running on public servers and these  do a great job of reporting on 
suspicious traffic.

But it is knockd that dramatically reduces the attention you get from 
black hats and allows the often time-poor, overworked sys admin in an 
organisation to focus on the attacks that remain.

Cheers,

Simon

More information about the Melbourne-pm mailing list