port knocking only for ssh port?

xpucto · 03-29-2007, 05:24 AM

Hi!
on the port knocking web site it says:

Quote:

Port knocking is a suitable form of hardening hosts that house users who require continual access to services and data from any location and that are not running public services, such as SMTP look up SMTP on webopedia.com look up SMTP on FOLDOC or HTTP look up HTTP on webopedia.com look up HTTP on FOLDOC . Port knocking is used to keep all ports closed to public traffic while flexibly opening and closing ports to traffic from users who have authenticated themselves with a knock sequence.

and then a litlle further:

Quote:

Port knocking is not well suited for protecting public services such as web and mail. The reason for this is that establish a connection to protected services is predicated on the knowledge of a secret port knock. Connections to public services can come from anywhere and anyone and it is counterproductive to use port knocking to protect these ports. For this reason, the description of port knocking in this section will use ssh (tcp/22) as the example port. It is best to delegate public services such as web and mail to bastion servers in a firewall's DMZ zone (a distinct network lying between the internet and a fully protected intranet).

can´ t it be used for only one port? I have a web server so it needs to be offen and would like to hide only the ssh port, not the http or https or smtp ones. is it possible?

live_dont_exist · 03-29-2007, 08:22 AM

Just to elaborate a bit about port knocking first. Port knocking is a technique which can be used by a server to respond if there's only a specific sequence of packets hitting a port. I remember testing out a trojan called Sadoor which used port knocking.

A hacker would install the Sadoor server on a machine. However it would respond only if the Sadoor client which obviously the hacker has in this case sends packets in a preddefined order. So for eg. You could configure Sadoor to give you a shell only if it received:

Code:

a) TCP packets from port 25
b) UDP packets from port 53
c) An ICMP echo reply packet

Note that these are all fake packets created on the fly by the Sadoor client just so it can connect to the Sadoor server loaded on the compromised host. So only if the Sadoor server receives these packets in the exact same order will it let the attacker in else it'll just keep waiting.

So if you apply it to a real world scenario , port knocking on say port 80 would be a big pain as you said coz all your users would need to know what packets to construct and send which is impractical

.

Regarding your hiding ssh port I guess it'll be possible but how would you do it? You'll need to somehow tell sshd that it shouldn't directly accept requests made by a normal ssh client. It must listen for the proper port knocking sequence and allow an ssh client in only if this is true.

I'm pretty sure you will need to write a bit of code independently and have ssh call it before it responds to your request or modify the code for sshd itself. Neither of this is very practical or really needed as there are better methods of locking down / controlling access to SSH.

If there's any other way to do it without writing any fresh code I'd be glad to hear it. You might also want to look at Sadoor and its excellent documentation for an even better understanding.

Cheers
Arvind