Ian Cheong wrote: > At 4:26 pm +1000 28/6/06, David Guest wrote: >> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; >> micalg=sha1; boundary="------------ms090104060805030702050600" >> >> Horst Herb wrote: >>> On Wednesday 28 June 2006 13:25, Tim Churches wrote: >>> >>>>> I'd have to think about how to do that under Windos unfortunately. It >>>>> could be a bit tricky. >>>>> >>>> A Python script could do it, I think. I'll see what can be whipped >>>> up... >>>> >>> >>> easy peasy. >>> >>> import telnetlib >>> >>> host = 127.0.0.1 >>> ports = [1000,2000,3000] >>> >>> for port in ports: >>> tn = telnetlib.Telnet(host, port) >>> try: >>> tn.open() >>> tn.close() >>> except: >>> print "can't connect to host %s o port %d" % (host, port) >>> >>> >>> Horst >>> >> Oh look, batteries. >> >> You gotta luv your python. >> >> David > > > When comparing port knocking to RSA keys: > 3 knocks from 65536 possible ports results in probability of guessing at > 1 in 2.8 x10^^14. > 512-bit RSA key results in probability of guessing at 1 in 1.34x10^^154. > 1024-bit RSA key default in ssh-keygen results in a very low probability > (try squaring the number on the last line) of a brute force attack. > > I guess that's why port knocking is reported as not quite taking off yet > in the security community. > http://en.wikipedia.org/wiki/Port_knocking
Three comments: 1. Why use only three knocks? I think the limit on the number of ports you can use in the knock sequence is 255 - three just happens to be the number given in the configuration examples. Let's see, 64000^^255, that's about...oh never mind, big enough. 2. To quote my own post, which Ian clearly didn't read: > I should add that knockd does not protect against attacks by your ISP > (or their staff) as they can easily monitor the sequence of port > knocking attempts which unlock your door - in fact it is vulnerable to > anyone able to monitor the packets sent by whatever client you are > using to your server, - hence you still need other means of > authentication. But it is an excellent defence against random hackers, > especially robots. So no, knockd is NOT a substitute for a proper authentication method, and no, I never suggested that it was. But it does have its place, which is in conjunction with (strong) password or public key authentication. 3. The use of RSA or DSA authentication for ssh is not without it's pratfalls, as discussed in this article: http://www-128.ibm.com/developerworks/library/l-keyc.html - I am amazed at how many people who should know better configure RSA or DSA authentication without the essential protection of encrypted private keys, just so they can avoid having to type any passwords. Tim C _______________________________________________ Gpcg_talk mailing list [email protected] http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk
