Port Knocking


Recommended Posts

Firewall administrators are challenged to balance flexibility and security when designing a comprehensive rule set. A firewall should provide protection against malfeasants, while allowing trusted users to connect. Unfortunately, it is not always possible to filter out the bad guys, because filtering on the basis of IP addresses and ports does not distinguish connecting users. Bad guys can and do come from trusted IP addresses. Open ports remain a necessary vulnerability: they allow connections to applications but also may turn into open doors for attack. This article presents a new security system, termed port knocking, in which trusted users manipulate firewall rules by transmitting information across closed ports.

Briefly, users make connection attempts to sequences of closed ports. The failed connections are logged by the server-side packet filtering firewall and detected by a d?mon that monitors the firewall log file. When a properly formatted knock sequence, playing the role of the secret used in the authentication, is received, firewall rules are manipulated based on the information content of the sequence. This user-based authentication system is both robust, being mediated by the kernel firewall, and stealthy--it's not possible to detect whether a networked machine is listening for port knocks. Port knocking does not require any open ports, and it can be extended to transmit any type of information encoded in a port sequence.

full article: http://www.linuxjournal.com/article.php?si...=thread&order=0

it can get pretty deep for some people, but still it's a usefull read if you want to implement something like this.

Link to comment
Share on other sites

i understand what theyre saying. thats a good idea (seemingly) but i would think that the port knocks would have to be a LONG sequence so that this sequence couldnt be guessed. Also they said that attacks can come from a good machine. If this good machine knows the port knocking sequence, couldnt he compromise the system? just thoughts thrown up in the air

Link to comment
Share on other sites

there are 65535 TCP ports and 65535 UDP ports, good luck guessing those ports :)

and is it that big of a deal if that sequence is 3 ports or 100 ports if knock is usually automated script.

this it might not be great defence if somebody is actively snooping your connection, but i think this is perfect deterrent against script kiddies who scan whole class b subnets looking for vulnerable ssh or ftp servers.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.