securing sshd

Erik Norgaard norgaard at
Sun Mar 21 09:39:49 UTC 2010

On 21/03/10 02:27, Peter wrote:

> On the same line, portknocking with pf:

Port knocking suck:

If you have to knock a single time on the secret port you might just 
have no added security at all, could be that the port scanner first 
knocked on the secret port then on the ssh port.

If you have to knock multiple times on the secret port, same thing, 
usually when you scan for open ports, multiple packets are sent in case 
of packet loss. You can't use timing between packets because this may 
change on the path. Yet you do need to implement timeouts to avoid a 
halfway knocked sequence.

If you have to knock various ports, you can't rely on packets arriving 
in a particular sequence. And even if you did, the port scanner might 
just get that order right. If your secret is to knock port 1234 and then 
port 2345 nmap might do just that when scanning ports 0-10000. And if 
the secret is the reverse order, again, nmap might just do that because 
multiple packets are sent to each port.

If you require more than a single knock you have to monitor also for 
wrong knocks or a simple nmap scan may be just sufficient to expose your 
server as in the example above.

A port knock or port knock sequence is a shared password that cannot be 
encrypted. Since there is no previous user identification the knocking 
is the same for all users. It's not encrypted because the secret is in 
the port number you knock. This is possibly the worst kind of secret you 
can manage.

If you find yourself thinking you need port knocking, then your 
passwords are not strong enough. It is far better to use longer and more 
complex passwords: They are individual for each user and encrypted.

Then you have the problem of monitoring established connections to flush 
the tables once a session is terminated.

Port knocking adds complexity to your server, meaning more things can go 
wrong, and adding yet another attack vector for the intruder. Having a 
script to automatically update a live rule set is a recipe for disaster.

It's as unuserfriendly and impractical as it gets:

The more ports you have to knock the higher the probability that some 
packets will be filtered when you're behind somebody else's firewall. 
You can be most certain that you can't convince the admin of some 
corporate network to open up for your port knocking.

Because of the build in stealth you have no way of knowing if packets 
are dropped or filtered. And the user will have to accept a delay for 
your port knocking script to update the rules.

You add complexity for the user, now they have your special port 
knocking client, know the secret, on top of carrying around their 
private ssh keys etc.

Port knocking suck at security: It does not solve a single existing 
problem but introduces a host of other problems. Use it at home for 
playing around and learning about protocols and stuff, but please don't 
give people the illusion that their security problems will be solved 
with port knocking.

BR, Erik

Erik Nørgaard
Ph: +34.666334818/+34.915211157        

More information about the freebsd-questions mailing list