Portknocking-Daemon-GUI or Package –> {CANCELED}

BuddhaChu

Don't cancel it on account of what I said.  :(

sullrich

I think you should not listen to the back seat drivers.  Let me keep digging around for a solution.  I have been trying to get knockd ported from Linux and am about 60% done.

If you have a 3-4 knock key, ie:

telnet ip 945
telnet ip 5678
telnet ip 1234
telnet ip 4756

Then I don't see how much this will hurt.  Besides, what exactly are you planning on exposing once you knock?  The webConfigurator or possibly SSH?

heiko

I set the Bounty for the portknocking feature to

1000 €

Greetings
Heiko

DanielSHaischt

Just to document what I've found about port knocking so far:

research paper:
http://www.runtux.com/files/download/portknock.4.pdf

fwknop - promissing but Linux based:
http://www.cipherdyne.org/fwknop/

trapdoor2 - may work out of the box on BSD:
http://oss.linbit.com/trapdoor2/

webknocking - an alternative approach in some kind of an early stage:
http://www.webknocking.de/semaphor.php?item=webknocking_en

Reverse Remote Shell - Very interesting but needs a client:
http://www.cycom.se/dl/rrs

and of course:
http://www.portknocking.org/view/implementations

sullrich

I will continue porting knockd over to FreeBSD.  It seems to be the nicest of the bunch.

cmb

From what I can see, knockd appears to just allow you to setup a sequence of ports, and any old connection to those ports will work. Well….while it's widely compatible, it's next to worthless. Unless you change the ports and sequence every time somehow, it's highly insecure. First time you use it on a hot spot, or if someone intercepts your traffic some other way, you're compromised. Granted it wouldn't be the only security measure you would rely upon, but there are much more secure ways of doing this.

doorman is nice in that intercepting the traffic in transit doesn't completely eliminate the security provided. See the quote in BuddhaChu's post above. The only way I can think of to do this securely will require a client like doorman.

yoda715

From a security standpoint, a port knocking daemon that requires a client is the best option.

heiko

Hello,

my statement to this discussion:

the knockd daemon runs passively listening to network traffic without opening any network ports. Even though it is practically impossible to an attacker to see that we are running knockd on the server, and try to guess the knock sequences we have configured.

Some general common sense security rules for the knockd, so "Scott"  - this must be implemented as default settings in the gui:

• NEVER use default sequences. I have included in my example for this reason the default 7000,8000,9000 sequence to not create another default pattern. Choose your own port sequences.

• Use at least 3 ports in the sequence. If you are paranoic you can use as many ports as you like.

• Mix tcp ports (default, if you do not specify the protocol) with udp ports: 9000:tcp,8000:udp,7000:tcp

Even if someone might hit by mistake the configured sequences try to prevent any damage: choose proper timeouts for running the command, use strong passwords as default (required in the GUI), etc.

So i think knockd is the first option for me. ;D

sullrich

@heiko:

So i think knockd is the first option for me. ;D

Sonuds good.  I will keep porting it but will not have time to work on it again until tomorrow or Wed as we are about to release 1.2-BETA-1.

heiko

No problem, good work!

cmb

Heiko, I know you want something that doesn't require a client, but that's the only way to do this securely. It doesn't really matter how many ports you use, how random they are, and whether you mix TCP and UDP, knockd is still insecure. Anyone that can intercept your traffic can bypass it, and you never know who's intercepting your traffic.

doorman seems to have a client available for pretty much any OS, and is a secure way to accomplish the same thing. I encourage you to strongly consider doorman over knockd.

From an email conversation - neither Scott nor I would use knockd ourselves, but we'd be comfortable using doorman, if that tells you anything. :) But Scott is willing to implement either one to satisfy your bounty.

heiko

Hello,
OK,
what was the problem with the doorman package in the past?
Why have the package not really worked in the past?
Now, is it possible to recompile doormanD to run fine with pfsense and also "bugless"?

I think, clientless portknocking is better but all of you voting for Doorman or other implementations, i´m confident!

If doormanD is a mess  ;), we are searching for another implementation without doormand and knockd, i think!
Thanks Daniel for the links - Is trapdoor2 an option? It is a clientless implementation, and the knock packets are SSL-encrypted?!

All of us are searching for the absolute best solution, high secure, fast and realizable… :), so Scott, sorry - knockd isn´t the accurate package for all of us, sorry, sorry - Don´t beat me

Greetings
heiko

sullrich

The problem with doorman was the person that put it together last did not test it at all.

It will not be hard to get doorman working and back into shape if that is what you want.

heiko

Hello Scott and the others from the dev-team,
sorry, i am not confident with the doormand or any other portknocking solutions.
sorry for the additional expenditure.

Sorry, maybe we are search for a cool solution a little bit later.
I kill the bounty.
heiko