undefined | Better HN

0 pointsmr_mitm1y ago0 comments

Port knocking is one of those things that sound like a good idea, but there are many possible footguns. And why is it that there is no one consensus (or "blessed") implementation?

The implementation by Moxie seems interesting, but needless to say that Python 2 is an instant no-go: https://github.com/moxie0/knockknock

It hasn't been updated in 12 years, so why is it that there seems almost no real interest in a solid port knocking implementation?

0 comments

Joel_Mckay1y ago

If your hobby firewall rule-set compiler is perl based than custom trigger rules are rather trivial.

For a random example, most of these ports will just bind to the default web-server (mitigates loopback attacks etc.):

2021 //tripwire 5 day ban, delay 30s

2022 //SSL tunnel for SSH port on VM, with client source-port range restriction.

2023 //tripwire 5 day ban

2024 //tripwire 5 day ban, delay 130s

2025 //tripwire 5 day ban

2026 //trigger 1: enable trigger 2 for specific IP, 5 second delay to open

2027 //tripwire 5 day ban

2028 //trigger 2: enable trigger 3 for specific IP, 4 second delay to open

2029 //tripwire 5 day ban, delay 19s

2030 //tripwire 5 day ban

2031 //trigger 3: close trigger 2, enable SSL tunnel port for specific IP in 1 second

2032 //tripwire 5 day ban

2033 //close all ports for this client IP, and reset trigger states in 1 second

2034 //tripwire 5 day ban

I think the lack of popularity comes from the ease of locking oneself out (initially manual starting a firewall during configuration without rule caching is wise), and lack of client-side automated handshaking scripts on non-*nix systems.

Someone should put together a little tutorial given many people seem to have lost this simple skill-set. Most people tend to ignore fail2ban integration options like banning game cheats.

Have a wonderful day, =)

teddyh1y ago

Because port knocking is fundamentally a stupid idea: <https://news.ycombinator.com/item?id=39898061>

mr_mitmOP1y ago

Two of your three points don't apply to Moxie's and some other implementations, for example Singe Packet Authentication. You can have sufficient bits, and it doesn't have to be cleartext. Maybe it's technically not port knocking anymore, but it's the same idea.

And it's not about adding more bits to your authentication, it's about vulnerabilities that can be exploited without authentication, like the recent xz backdoor debacle. Port knocking would defend against that, longer keys would not.

This has all been pointed out to you in the thread you linked.

teddyh1y ago

> Maybe it's technically not port knocking anymore, but it's the same idea.

At that point, it’s equivalent to a point-to-point VPN, which is the same as IPSec transport mode. Which is what you ought to be using instead of port knocking, if your threat model includes 0-day vulnerabilities in public-facing services like SSH.

j / k navigate · click thread line to collapse

0 comments

Joel_Mckay1y ago

If your hobby firewall rule-set compiler is perl based than custom trigger rules are rather trivial.

For a random example, most of these ports will just bind to the default web-server (mitigates loopback attacks etc.):

2021 //tripwire 5 day ban, delay 30s

2022 //SSL tunnel for SSH port on VM, with client source-port range restriction.

2023 //tripwire 5 day ban

2024 //tripwire 5 day ban, delay 130s

2025 //tripwire 5 day ban

2026 //trigger 1: enable trigger 2 for specific IP, 5 second delay to open

2027 //tripwire 5 day ban

2028 //trigger 2: enable trigger 3 for specific IP, 4 second delay to open

2029 //tripwire 5 day ban, delay 19s

2030 //tripwire 5 day ban

2031 //trigger 3: close trigger 2, enable SSL tunnel port for specific IP in 1 second

2032 //tripwire 5 day ban

2033 //close all ports for this client IP, and reset trigger states in 1 second

2034 //tripwire 5 day ban

Someone should put together a little tutorial given many people seem to have lost this simple skill-set. Most people tend to ignore fail2ban integration options like banning game cheats.

Have a wonderful day, =)

teddyh1y ago

Because port knocking is fundamentally a stupid idea: <https://news.ycombinator.com/item?id=39898061>

mr_mitmOP1y ago

This has all been pointed out to you in the thread you linked.

teddyh1y ago

> Maybe it's technically not port knocking anymore, but it's the same idea.

j / k navigate · click thread line to collapse