[teddyh]

> Title: Why Not Use Port Knocking?

For me, the answer is simple: It violates Kerckhoffs’s principle¹. If you want more secret bits that users need to know in order to access your system, increase your password lengths. If you want to keep log sizes manageable, adjust your logging levels.

1) https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle

[spindritf]

> If you want to keep log sizes manageable, adjust your logging levels.

Changing the port is a really good and simple fix. If you also drop packets to closed ports instead of rejecting them, you slow the scan down enough that only a targeted attack is likely to find your ssh port.

All that with no performance penalties, no cumbersome configuration, no experimental software, with one change to one config file. I say do it.

[tptacek]

I'm not a fan of changing the SSH port, but at least I get what that buys you.

[teddyh]

Changing port is the wrong solution to large log files. This seems obvious to me, but maybe I can put forward another drawback of changing the port number: It is confusing.

I mean, you could easily stop using the DNS and use raw IP addresses for everything - this should cut down on your attacks and maybe even spam, right? Nobody does this because it it insanely inconvenient, and ignores the solution to this inconvenience which DNS is. Standardized port numbers exist for many reasons - do not abandon them and create complexity for your fellows merely for your personal convenience.

[spindritf]

> I mean, you could easily stop using the DNS and use raw IP addresses for everything - this should cut down on your attacks and maybe even spam, right?

No, it wouldn't. But you do have a point. And most sysadmins don't let just anyone axfr their zone.

Like changing the port, it's not a security measure and it will inconvenience someone every once in a while. Still, I don't need to advertise every host I run.

Same with using a PO box or your provider's info for whois. It's not going to deter anyone determined but it cuts down on some casual annoyances.

EDIT: Also, setting the port

    Host *.whatever.net
     IdentityFile ~/.ssh/whatever
     ServerAliveInterval 10
     port 17022

in ssh config costs you nothing, one more line in a config you'd have to write anyway.

[teddyh]

> it's not a security measure and it will inconvenience someone every once in a while

So why do it? And port knocking will inconvenience every user, all the time.

> setting the port in ssh config costs you nothing

It costs complexity for all users of the system. This includes you, all other people using it, all servers and their services wanting SSH access, etc. Standards are a good thing.

[b6]

The issue is, the SSH server is many tens of thousands of lines and extremely complex, while a port-knocking implementation might be a few hundred lines and very easy to audit. It's much easier to be certain that the simple one is bug free. The simple one protects the complex one.

[teddyh]

If you have cause to worry about security holes in SSH, you should not rely on port knocking to protect you.

[growupkids]

That does not follow. Making a service unavailable to an attacker is an excellent way to prevent it from being attacked. And ssh may have holes in it, it was written by people, people make mistakes and there have been holes in it in the past.

[belorn]

Adding a port knocking in front of your ssh server do not make the service unavailable to attackers. At best it deter some attackers, based on the same principal that some store owners puts up a cardboard box painted to look like a video camera. If the added "security" prevents most onlookers and casually would-be-attackers, then the cardboard box is indeed an excellent way to prevent the store from being attacked.

It is still however a cardboard box with paint on it. The effectiveness disappear the second criminals bother to test the illusion. What I then wonder is, did the store owner trust the cardboard box effect to the degree of not installing a proper door, lock and alarm?

[clarry]

Unfortunately OpenSSH doesn't give you that much control over logging. In my setup I'd like to log successful logins as well as failed login attempts for users that exist, excluding root because logins for root are disabled. This would keep all the scripted (and wholly inneffectual) break-in attempts from flooding the logs while allowing the sysadmin to keep an eye on the more interesting events.

I don't use port knocking, nor do I run sshd on a nonstandard port, but I perfectly understand the people who do that just to keep the log spam down.

[marcosdumay]

The sequence of ports becomes a key. I don't think the principle is violated.

What I think is that you should disable password authentication anyway, and adding port knocking to a ssh server that doesn't accept passwords is equivalent to adding a thin wood plank to a 20" steel door with an state of the art lock.

[perlgeek]

But the sequence can be found by sniffing the network connection. Unlike the ssh passwords, which aren't ever transmitted in plain text.

[teddyh]

> The sequence of ports becomes a key.

Yes, I agree completely. Which is why it buys you nothing compared to simply increasing your password/key lengths with the equivalent number of bits. On the contrary, it introduces confusing complexity for oneself and one’s fellows. Maybe this is what unconscionable people call “Job security”?

> equivalent to adding a thin wood plank

It is less like a thin wooden plank and more like a hedge maze which all legitimate users also must traverse each time. And all the hedges are made of asbestos.

[sitkack]

Reason by analogy much? Layered security and out of band. Flaw in ssh? Still have another speed bump in the attack vector.

[mikeash]

Not only is port knocking just adding a key that gives you nothing over a longer password or actual ssh key, but it's also a key that you send in plaintext over public networks every time you connect.