Comments on: Enhance Security with Port Knocking http://www.linux-mag.com/id/5445/ Open Source, Open Standards Sun, 07 Sep 2008 08:43:11 +0000 http://wordpress.org/?v=2.0.11 by: salinuxam http://www.linux-mag.com/id/5445/#comment-1127 Mon, 02 Jun 2008 03:35:18 +0000 http://www.linux-mag.com/id/5445/#comment-1127 It's like our aim is to avoid a port scan primarily. If some body does so null route them using iptables.Portsentry does this pretty accurately :) It’s like our aim is to avoid a port scan primarily. If some body does so null route them using iptables.Portsentry does this pretty accurately :)

]]> by: J. Alfred Prufrock http://www.linux-mag.com/id/5445/#comment-924 Thu, 27 Mar 2008 03:38:47 +0000 http://www.linux-mag.com/id/5445/#comment-924 Alternately, you can use an iptables-only approach to port-knocking (ie. same thing but without knockd). It's probably not as configurable, but for a simple setup it's good enough. For an example, see http://www.debian-administration.org/articles/268 Alternately, you can use an iptables-only approach to port-knocking (ie. same thing but without knockd). It’s probably not as configurable, but for a simple setup it’s good enough. For an example, see http://www.debian-administration.org/articles/268

]]> by: david braun http://www.linux-mag.com/id/5445/#comment-921 Mon, 24 Mar 2008 11:02:56 +0000 http://www.linux-mag.com/id/5445/#comment-921 Javi's makes valid point. Maybe you could set up separate tables for each service under knockd control. This would not prevent someone from removing the whole table with multiple knockd closes but would limit the problem to just that service instead of the main INPUT chain. Better yet would be to configure the commands issued by knockd to be smarter and create unique table names for each successful knocker. Javi’s makes valid point. Maybe you could set up separate tables for each service under knockd control. This would not prevent someone from removing the whole table with multiple knockd closes but would limit the problem to just that service instead of the main INPUT chain. Better yet would be to configure the commands issued by knockd to be smarter and create unique table names for each successful knocker.

]]> by: javi http://www.linux-mag.com/id/5445/#comment-920 Sun, 23 Mar 2008 20:48:39 +0000 http://www.linux-mag.com/id/5445/#comment-920 In my opinion registrationsucks is right. You will also get into problems if there are more processes that can insert rules in front of your iptables chain, like f.e. fail2ban. Just leave the number out. New rules with flag -I will be inserted in front and only matching rules will be deleted, independent of their order in the chain. In my opinion registrationsucks is right. You will also get into problems if there are more processes that can insert rules in front of your iptables chain, like f.e. fail2ban. Just leave the number out. New rules with flag -I will be inserted in front and only matching rules will be deleted, independent of their order in the chain.

]]> by: registrationsucks http://www.linux-mag.com/id/5445/#comment-919 Fri, 21 Mar 2008 20:38:10 +0000 http://www.linux-mag.com/id/5445/#comment-919 If I understand your configuration correctly, anyone knocking with the signoff sequence will delete the first rule on the input chain. This is great if it happens to be the rule that opened up MYSQL, but it is an easy denial of service attack if you happen to be running any other publicly accessible services on the box - a webserver for example. Multiple signoff knocks will shut the whole thing down. A better approach is to specifically delete the rule you added earlier (if it is there). At the very least it should only shutdown rules matching the port you opened. If I understand your configuration correctly, anyone knocking with the signoff sequence will delete the first rule on the input chain. This is great if it happens to be the rule that opened up MYSQL, but it is an easy denial of service attack if you happen to be running any other publicly accessible services on the box - a webserver for example. Multiple signoff knocks will shut the whole thing down. A better approach is to specifically delete the rule you added earlier (if it is there). At the very least it should only shutdown rules matching the port you opened.

]]> by: Pieter Smit http://www.linux-mag.com/id/5445/#comment-916 Fri, 21 Mar 2008 06:15:52 +0000 http://www.linux-mag.com/id/5445/#comment-916 something similar can be achieved with openvpn. it can be setup to include a hashkey in the connection udp packets, if the first packet does not contain the hash it is silently discarded. Thus the openvpn port is totally invisible from the outside, with the added benefit that when you connect all traffic is encrypted, and you are authenticated with a certificate. http://openvpn.net/index.php/documentation/security-overview.html "the --tls-auth directive to generate an HMAC key to authenticate the packets that are themselves part of the TLS handshake sequence." something similar can be achieved with openvpn.
it can be setup to include a hashkey in the connection udp packets, if the first packet does not contain the hash it is silently discarded.

Thus the openvpn port is totally invisible from the outside, with the added benefit that when you connect all traffic is encrypted, and you are authenticated with a certificate.

http://openvpn.net/index.php/documentation/security-overview.html

“the –tls-auth directive to generate an HMAC key to authenticate the packets that are themselves part of the TLS handshake sequence.”

]]>