This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new!

A Few Comments

Posted by: OME on August 11, 2004 11:47 AM
Just my $0.02
The author says:
1) "The obvious question then is, in what way is this convoluted and inefficient method of sending a passphrase across a network better than the straightforward method of putting it in a packet and sending it? The obvious answer is, it is not. (The second obvious question is, how is it different from authenticating yourself with a passphrase using SSH? But we'll get to that shortly.)"
The whole idea behind port knocking is to deter common tools / scripts and script kiddies. It also makes it much more difficult for even more serious intruders. If port knocking succeeds in eliminating just script kiddies and no one else, then I think that it's worth the time.

2) "OpenSSH, which is the SSH server on the majority of Linux installations, suffers from regular exploits of buffer overflow and other vulnerabilities, and you neither have the time to keep up with the patches nor want to make the effort -- you'd rather put up with not being able to access your files. This is where port knocking might seem to help -- but don't count on it." Even if what you say is correct (which I can easily disagree with), you can always use something like Libsafe to block the majority of buffer overflow attacks. Using Libsafe means that your application doesn't even need constant patching, even if it's vulnerable.

3) "Secondly, there's the matter of what you're going to do about replay attacks. A replay attack is one where a router sitting between the client and the server passively sniffs what the client is sending, and sends the same bitstream after a while to the server, pretending to be the client. " This can be countered by changing the sequence after each connection. Of course, it would be ridiculous to have the user handle this, so after each successful connection, a random port sequence can be generated by the server and transmitted to the client application. Upon recieving confirmation from the client that the new sequence has reached the client, the server would then modify its behavior to allow only port knocks matching the new sequence. Some wrapper is probably all you'd need.


Return to A critique of port knocking