Re: an anternative to port-knoking using the OpenBSD pf only

From: gimeshell@xxxxxx
Date: Fri, 17 Feb 2006 09:12:10 +0100

On Tue, 24 Jan 2006 10:56:34 +0100
Joachim Schipper <j.schipper@xxxxxxxxxx> wrote:

On Mon, Jan 23, 2006 at 10:44:52PM +0100, poplix wrote:

Hi there,

I wish to propose an alternative to port knoking that uses the
native OpenBSD's pf code only. The idea is to use the pf's passive
os fingerprinter to authenticate initial SYN packets.
With a tool (or kernel patch) able to rewrite packets header is
possible to use a specific sequence of header fields as a key to
validate packets.

This is an interesting - albeit not exactly new - idea, but it has the
very real disadvantage over port knocking that it requires priviliges
(typically root) on the connecting host.

I'm fairly new to network security so i'm
wondering what's the problem using root priviliges to connect to server?
Do you mean, this is a general security problem or simply a client-side
disadvantage?
Do you think, running such a packet rewriter on client-side opens new
doors for attackers and reduces client-side security thus?

regards

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Prev by Date: Re: Rookie question about differences between -S and -sI option
Next by Date: Re: Password Crackers
Previous by thread: Re: an anternative to port-knoking using the OpenBSD pf only
Next by thread: Re: an anternative to port-knoking using the OpenBSD pf only
Index(es):
- Date
- Thread

Relevant Pages

Re: Minimize key size for sending only 10 messages
... I must not be understanding what you mean by "Computational security" ... and algorithm". ... groups of 10 packets, but each group will use a different session key? ... replay attacks, and against provocations of known-plaintext attacks? ...
(comp.security.misc)
Re: an anternative to port-knoking using the OpenBSD pf only
... > I wish to propose an alternative to port knoking that uses the native ... > fingerprinter to authenticate initial SYN packets. ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
(Pen-Test)
Re: Pelosi & Reid Will Not Like Progress Cited in Iraq Quarterly Report
... This is from 4 pages, less than 10 percent, of the report. ... Reid has called General Petraeus a liar for saying progress had been made in Iraq, and more recently he has called Petraeus and outgoing chairman of the Joint Chiefs,Marine Gen. ... Assessment of the Security Environment— ... the frequency and intensity of attacks on the ...
(soc.retirement)
Re: Pelosi & Reid Will Not Like Progress Cited in Iraq Quarterly Report
... This is from 4 pages, less than 10 percent, of the report. ... Reid has called General Petraeus a liar for saying progress had been made in Iraq, and more recently he has called Petraeus and outgoing chairman of the Joint Chiefs,Marine Gen. ... Assessment of the Security Environment— ... the frequency and intensity of attacks on the ...
(soc.retirement)
Re: Cracking WEP and WPA keys
... SecurityFocus wi-fi security mailing list. ... >>802.11G PCMCIA card, and the Linux server was running Samba to talk to ... >>Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
(Pen-Test)