Port knocking ):
From the perspective of security management, the more service ports opened, the more insecure the system is. The more secure the system is, the more secure the system security reinforcement service is, it is to first disable useless ports and then implement access control on the ports that provide services. Remote Management and maintenance personnel usually need to open some service ports, such as FTP and SSH. These services use some familiar ports to enable these ports for a long time, it is often a serious security risk. Therefore, the service can be enabled only when the service is "needed" and only services are provided to specific users. After the service is completed, the port is closed again, making it difficult for attackers to exploit this "security risk, the port collision technology provides an ideal solution.
Port collision technology is a technology that allows a service device to open an agreed service port to provide services after a user collides according to the agreed sequence. The so-called collision is composed of a sequence of attempts to access the closed ports in the system, that is, the connection request for a specific port.
The implementation of port collision technology is simple:
1. Enable the fixed port service.
For example, if the server is set to port 2048, port 2049, port 2055, and port 2058 of the same user, the server opens TCP Service port 28, this user can remotely work through this port. After the connection is complete, the Service port is automatically closed. If it is a gateway device such as a firewall, after the attempt to intercept this sequence, add a rule in the access list to allow the user's tcp28 data packets, so that the connection can pass through the firewall. After receiving the connection close command, delete the rule and restore the denial of service on the port.
2. enable port service dynamically
If you need to use the port collision technology to open multiple service ports, or dynamically change the service port, you can use the "specified" port in the sequence when designing the collision sequence on the server, "tell" the service port that you want to open at a location in the sequence. If the rule is set to, and the last port minus 2000 is the service port, when the collision sequence is 2048, 2049, 2055, 2058, or 2443, you want to enable the Service of port 443.
The port collision technology does not seem complicated. to the user, a "password" verification is added before a normal connection is established. You can use a small tool to automate each collision process, if the collision sequence is issued in the same sequence as the password, it can work directly. It can be implemented not only on the firewall (this port can be opened on the server by default), but also on the server. A matched buffer pool is added to the implemented device. It tracks the matched users (source IP addresses) in the form of a state machine and starts the state machine from matching the first port package, the user's subsequent package matches the sequence one by one and completes one to the next State until the whole sequence matches. If one package does not match, the user returns to the initial state.
Security of port collision technology:
Since port collision technology is not difficult to implement, it is very convenient to enable the "special" service requirements of staff (fewer users, if a large number of users are obviously not suitable for functions, is it safe?
Password protection has two types of "Natural Enemies". One is that the password is simple and easy to guess, because the account is generally not confidential, even some of the default system-managed advanced accounts, therefore, it is easy to crack. Second, brute-force cracking. Currently, the 128-bit password cracking time has been reduced to an hour. Therefore, most of the current password-based protection technologies are added in length and combination.
Port collision uses a combination of port numbers, some of which are similar to passwords. First, the port sequence itself has no meaning and is set by the user. Therefore, it is difficult to guess that there are more than 60 thousand port numbers theoretically, if you do not enable the service, you can use it for collision. The number of combinations is also large. Second, the length of the collision sequence is not fixed, which makes scanning-type cracking tools a "headache" because they do not know when the prediction ends. Again, it is also the most important point. collision can be performed using the same package as the initial package of the connection, or different, such as using a specially labeled Syn packet. Port collision is a service port that is not enabled on the detection server. The server's response (many of which are ignored) does not indicate whether you are matching now, even if you are lucky enough to find the collision sequence, however, the next packet should be the data packet that you start to connect normally. If you select an error, the "match" on the front side will immediately return to zero. Therefore, the anti-scanning capability of this technology is very strong.
Collision technology extension:
The ideal application of the port collision technology should be remote device management, because it is not frequently used, which poses a great threat and is also the most required function of network maintenance personnel. In addition, remote access to some confidential documents is also a good choice, that is to say, the function of dynamically sharing confidential files can be added to the FTP service, and the collision method can no longer be the port, it is a special combination sequence of FTP common service commands. During the matching, the user is temporarily authorized to download confidential documents, and can be canceled immediately after use.