Hi,
even though I suspect that what I am going to write is not currently feasible with IPFire, I will still try to expose it…
Many years ago, a developer friend of mine told me that with Linux he had seen a port open (in the firewall) by a very specific knock. I do not remember the name of this thing. I give a practical example to try to explain.
SERVER SIDE:
Public IP = 5.nnn.nnn.4
Local IP of the machine with service installed = 192.168.1.1
Door with service = 80
CLIENT SIDE:
Public IP = 50.nnn.nnn.40
The client’s public IP address (50.nnn.nnn.40) knocks on ports 8888, 4444, 7777 of IP “5.nnn.nnn.4” in a specific order.
Only if the order of the knock (client-side) is right, IPFire (server-side) should open port 80 to local machine 192.168.1.1 for some time and only for IP 50.nnn.nnn.40
When the time expires, port 80 is closed by the firewall.
Do you think there is a way to accomplish this with IPFire, in aggregation with other software available for free on the net?
Is it still today, an extra valid protection?
P.S. Please forgive my English. I used automatic translators. I hope my example is clear.
Port Knocking, that’s right!!!
I remember now.
It would be interesting for my OpenVpn, since the use of this service is exclusively for me on my server. But I strongly suspect that I can implement it entirely with IPFire. Perhaps as extra protection to my OpenVpn, it might be a good system.
Not with port 80. That would not make sense.
It’s a cool project (in the geeky way) and a nice learning experience, however I doubt it will give you more than a marginal security benefit, with the tradeoff of an increased complexity of your firewall.
I did not know that. I thank you for the valuable information. I had underestimated IPFire too much.
As I read, at security levels, Port Knocking is not the ultimate protection. Port Knocking is easily “sniffable.”
I wonder if it is worth using it for OpenVpn. Perhaps the recently implemented 2-factor authentication is more secure!
All kinds of security are based on ‘secrets’.
A secret is an information given from the ‘secrete holder’ to trusted entities:
A password questioned at a gate ( town gate, access software to a computer system/network, guard at a military camp, … )
A key for encryption of messages
A procedure / sequence of action to identiy as friend
…
All secrets have a security level based on possibility of being discovered.
The ‘Caesar Cipher’ ( a substitution of letters ) is easily cracked by frequency analysis of the letters, for example.
Port knocking can indeed be cracked by sniffing the knock messages. As you can get access to closed door, if you can watch the knocking of an authorised person.
Each authorisation which uses multiple ways has a higher level of security, IMO.
And that’s why it makes me wonder if it’s worth using this little extra protection for my OpenVpn.
Maybe it’s better to stop the service when I don’t need it.
I thank all the forum members for the answers.
I will summarize here my personal point of view. Port Knocking works well when your treat model assumes that the attacker is on a different network than you are, and the target is a server that contains important bugs for remote exploits, e.g. server FTP or SSH (*).
In the OpenVPN case, the treat model cannot assume that the attacker is always on a different network, as you might want to establish a tunnel in a hotel or an internet cafe where analyzing the traffic is trivial and therefore the protection is not existent. Therefore, a port knock for OpenVPN is useful only for mitigating the treat from script-based scanning from criminal crews looking to install a worm or a virus for ransomware attacks or DDOS attacks. Is it worth the effort? IMO no, as OpenVPN is well maintained code with a minimal surface of attach, that does not offer easy remote exploits.
(*) If I need an FTP server, instead of setting up a port knocking I would put the server in the orange network without any DNAT rule (therefore it cannot be reached from the WAN side of the firewall). Then I would connect with IPSec or OpenVPN and then connect to the FTP server from inside my LAN.
@cfusco
I thank you for the valuable information.
I had already thought about what you told me, but you clarified it even better and in detail.
I have decided not to use Port Knocking for OpenVpn.
DoS attacks or port flooding on the OpenVPN UDP port.
Port scanning to determine which server UDP ports are in a listening state.
Buffer overflow vulnerabilities in the SSL/TLS implementation.
SSL/TLS handshake initiations from unauthorized machines (while such handshakes would ultimately fail to authenticate, tls-auth can cut them off at a much earlier point).
Yes Carlo, this is correct.
In addition to ‘–tls-auth’ there are two other options (tls-crypt and tls-crypt-v2 currently not available via IPfire WUI) which serves the same protection but adds also another layer of security by also encrypting the control channel packets which is also know as “poor-man’s post-quantum security” . I find it useful to mention it here since it seems that there is something in the development pipe
