Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 03-29-2007, 05:24 AM   #1
Registered: Sep 2005
Location: Vienna, Austria
Distribution: Mint 13
Posts: 522

Rep: Reputation: 31
port knocking only for ssh port?

on the port knocking web site it says:
Port knocking is a suitable form of hardening hosts that house users who require continual access to services and data from any location and that are not running public services, such as SMTP look up SMTP on look up SMTP on FOLDOC or HTTP look up HTTP on look up HTTP on FOLDOC . Port knocking is used to keep all ports closed to public traffic while flexibly opening and closing ports to traffic from users who have authenticated themselves with a knock sequence.
and then a litlle further:
Port knocking is not well suited for protecting public services such as web and mail. The reason for this is that establish a connection to protected services is predicated on the knowledge of a secret port knock. Connections to public services can come from anywhere and anyone and it is counterproductive to use port knocking to protect these ports. For this reason, the description of port knocking in this section will use ssh (tcp/22) as the example port. It is best to delegate public services such as web and mail to bastion servers in a firewall's DMZ zone (a distinct network lying between the internet and a fully protected intranet).
canī t it be used for only one port? I have a web server so it needs to be offen and would like to hide only the ssh port, not the http or https or smtp ones. is it possible?

Last edited by xpucto; 03-29-2007 at 06:13 AM.
Old 03-29-2007, 08:22 AM   #2
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257

Rep: Reputation: 30
Just to elaborate a bit about port knocking first. Port knocking is a technique which can be used by a server to respond if there's only a specific sequence of packets hitting a port. I remember testing out a trojan called Sadoor which used port knocking.

A hacker would install the Sadoor server on a machine. However it would respond only if the Sadoor client which obviously the hacker has in this case sends packets in a preddefined order. So for eg. You could configure Sadoor to give you a shell only if it received:

a) TCP packets from port 25
b) UDP packets from port 53
c) An ICMP echo reply packet
Note that these are all fake packets created on the fly by the Sadoor client just so it can connect to the Sadoor server loaded on the compromised host. So only if the Sadoor server receives these packets in the exact same order will it let the attacker in else it'll just keep waiting.

So if you apply it to a real world scenario , port knocking on say port 80 would be a big pain as you said coz all your users would need to know what packets to construct and send which is impractical .

Regarding your hiding ssh port I guess it'll be possible but how would you do it? You'll need to somehow tell sshd that it shouldn't directly accept requests made by a normal ssh client. It must listen for the proper port knocking sequence and allow an ssh client in only if this is true.

I'm pretty sure you will need to write a bit of code independently and have ssh call it before it responds to your request or modify the code for sshd itself. Neither of this is very practical or really needed as there are better methods of locking down / controlling access to SSH.

If there's any other way to do it without writing any fresh code I'd be glad to hear it. You might also want to look at Sadoor and its excellent documentation for an even better understanding.



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Howto do Secured ssh from port https or port80(standard) to ssh d listening port 22 ? Xeratul Linux - General 4 11-23-2006 06:09 AM
iptables help! DROP ssh port, but allow to connect to ssh if from 2222 port kandzha Linux - Networking 4 09-13-2006 09:10 AM
ssh over port 80 but port 80 isnt available profoX Linux - Networking 4 06-01-2006 02:12 AM
--destination-ports port[,port[,port...]] KevinGuy Linux - Networking 1 03-16-2004 06:06 PM
SSH Port Finlay Linux - Networking 4 06-09-2003 05:00 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:50 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration