A critique of port knocking
Suppose you want to be able to retrieve files from your Linux system remotely. The "standard" method of running the SSH server on port 22 is notoriously inadequate. OpenSSH, which is the SSH server on the majority of Linux installations, suffers from regular exploits of buffer overflow and other vulnerabilities, and you neither have the time to keep up with the patches nor want to make the effort -- you'd rather put up with not being able to access your files. This is where port knocking might seem to help -- but don't count on it.
Port knocking is a method of "message transmission across closed ports." It works like this: initially a firewall blocks all ports on the server. The client issues a series of connection requests (knocks) to different ports; these are, of course, dropped since the ports are blocked. However, there is a daemon that monitors the log files for connection requests, and the sequence of requests serves as an encrypted code. If the code makes sense to the daemon, it enables SSH or another service (for a particular IP address and on a particular port encoded by the knock sequence).
By Arvind Narayanan at NewsForge.
[ Read more ]