This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new!

Re:Author is dead-on

Posted by: Anonymous Coward on August 11, 2004 05:03 AM
The author was mistaken about the effective key-length.

It may well be that only 32 ports are configured as knockable on a given system, but that has no effect on how many ports are available to guess, it just means that a knock on any other port is meaningless. No more information is gained by knocking on a knockable port than is gained by knocking on an unknockable port, so any given port (barring another service actively running on it) is just as likely as any other port.

Even if you know that I'm using a port knocking implementation that only allows 32 ports to be configured to knock, how are you going to know what ports they are?

I could be using ports 1-32 or odd ports from 1001 to 1063, or 32 ports that I chose by rolling really big dice. Heck, if I have an 8-port knock sequence, tecnically I'm only *using* 8 ports. That doesn't tell you *which* ports, though.

The author assumed that just because I can only pick 32 ports that they have to be the same 32 ports everyone else uses. If the attacker can figure out which ports I'm allowing knocks on, I've got other problems than the fact that only 32 ports watch for knocks.

How would a 40-bit passcode to gain access to SSH possibly be worse than a 0-bit passcode to gain access to SSH? If one of my users uses the password '48205728' does that mean that my security system has a 10,000,000

Now, if the spec requires 32 particular ports, then the author is right about the strength, but that's not the impression I got from reading that it could be configured with up to 256 ports.

Want fun & games? How about this? One wrong knock, and the attacker gets a false positive that sets him lose on a 1bps connection to a honeypot system that's not connected to the rest of the network.


Return to A critique of port knocking