Port knocking

I'm enamored. I got pointed to a nifty idea called port knocking several weeks ago and have spent a decent chunk of time going through it. It's a really clever idea, and they seem to have a perl-based prototype up.

Port knocking is slick: a service only accepts requests which have knocked the ports in a predetermined pattern. IE, normally sshd is listening for requests on port 22, but with port knocking it wouldn't even acknowledge its existence to a ping or request unless you had hit port 1048, 1037, 2059, 1950, 4050, 40, 1048, and then port 22 within a specific amount of time.

It's gotten ragged on as a "security through obscurity" feature, but that's missing its intent, which is just another line of defense. All it does is augment existing security measures (passwords, etc) by not even acknowledging a service is even running on that box until you hit the sequence, so port scanning becomes fairly useless, and it puts the hurt on dictionary-style attacks big time.

And its extremely simple & elegant- no hard to understand protocols. One of the more interesting examples I've heard would be for use in NAT'd environments: knock the correct ports, and your traffic gets routed to port 22 on the inside network, etc. Or as another layer of security for IPV6 environments which hopefully will do away with NAT.

yummy alcohol posted button Posted by drunkenbatman
    March 02, 2004, at 02:25 AM


Comments (0)




Post a comment



Anonymous comments are allowed, but please enter something for a name.

And do endeavor to appear sane.









Remember personal info?