Saddened by lack-of-portknocking… anyone else agree? get the bounty back?
-
In response/respect to the following topic on the bounty for portknocking…
http://forum.pfsense.org/index.php/topic,4168.30.html
Can I humbly request that we re-open this? I'd even be willing to work with someone on porting knockd to pfSense. And in response to some users concerns that knockd is not secure, with some minor scripts and cron it can easily become secure. It can change its pattern on a hourly, daily, weekly, or monthly basis based on a private hash, and the knock sequence can only be remotely generated and matched by a cli-script to generate that hash. For windows users/clients any port knocking client will work, but they will need to use a website or a remote cli-script (because I haven't programmed anything for Windows, only OS-X/Linux) to generate the sequence. This adds that extra level of uber-security to knockd. It's a feature I've asked the creator of this package to add, but he doesn't have time to do so, and I don't have the time either, but I could really really use this feature on pfSense. knockd also has a mundane level of simplicity to it which should make it easier to port and maintain.
About my pf history/specs... I use pf to route to 2 separate cluster installations and setup most of my clients with thin clients or soekris boards and I really want to shy away from leaving ports open on the WAN side so I can remotely administrate their network and/or computers. For 1 cluster installation I am using gentoo as a simple LVS router with the above knockd setup, and it's been working great for over a year with the same setup I describe above. As long as the server keeps accurate time (NTP) and my computer does the same, it works splendidly.
I would definitely seriously spend time and effort implementing this feature if it wasn't just for me, and if I got some loot out of it! :) Can I get any "heck yeah's?" :)
Any other input/questions are more than welcome.
- I
-
Do "you" want to re-open the portknocking bounty?
-
Have you looked at System: Advanced functions in the WebGUI?
You can switch off SSH there and, what I think is way more secure than port knocking, you can disable password logins to SSH. Only authorative keys are allowed then which is supposed to be secure to current knowledge.
Port knocking is -more or less- security by obscurity. That never has proven to be a good choice. -
Of course, private SSH keys are always an option. And security by obscurity alone is never a good idea. But, I'm a huge fan of multiple levels of security (even if some are through obscurity). Even with a simple port knocking scheme, and even if it uses the default ports, it will keep ports closed that you want closed to the general public. I prefer (especially for my own house, and for clients) their WAN ports have NO ports open, preferably even disabling ICMP replies also. If there's no doors, there's no attempts. However for now on my pfSense installs, I tend to keep port 22 open on WAN and for some I keep some combination of FTP/HTTPS/NFS/CVS ports open for myself of my clients' purposes. I'd prefer to not have thousands of attempts daily by scripts/bots/botnets/etc to break the passwords and accounts on the server. With closed ports it stops before it even begins. A port scan will reveal no open ports and the scripts/bots/etc. do not even try. Even better when it doesn't respond to ICMP's, then they never even port scan (usually, eg. nmap)
Like I said, I completely agree that obscurity is bad, when it's alone. When it's combined with known methods of encryption and security (eg. SSH/HTTPS) it can have wonderful results. For clients I can even setup a simple bash/batch script to get into a simple port knocking sequence if/when that client wanted to VPN (I'd add it to my openvpn startup script) or if they wanted to FTP. This would eliminate the need to go log trolling/parsing on their servers wading through millions of scripted attempts at guessing the ssh usernames/passwords and ftp usernames/passwords.
I just have a lot of great experience with port knocking… it's a great combination when used correctly with real security practices.
And lastly... yeah I'd pitch in $50 to get this request started back up again. Even with simple port knocking. In fact... I think that would be a great start, and we can work towards a future advanced port knocking scheme. If that isn't enough to get things baking in a month I'll double it. I would however, be more than happy to assist in this goal and test on livecd, embedded (soekris) or vmware-based setups here at home. I just don't have the pfSense experience to do it alone.
Thanks,
- I
-
If you re-open the bounty i will spend also 50 $ (for the beginning) - mantra
Greetings Heiko
-
Sounds good, Heiko and anyone else interested I started up a Bounty. Please go there and give your input and post your amount and I'll update the subject with the values total.
Check it out here: http://forum.pfsense.org/index.php/topic,6024.0.html
In addition, if anyone here decides to work on it, I'd be more than happy to test and/or assist.
- I