Hello OPNsense development team,
I would like to suggest adding a native port-knocking feature in OPNsense and simple gui interface. Like you know, Port-knocking is a security mechanism that allows securing access to open ports by requiring a sequence of "knocks" to open a specific port, which can be particularly useful for sensitive services such as SSH or VPN.
Including this feature in OPNsense would allow users to easily add an extra layer of security without the need to install third-party software. This would make firewall rule management more secure for users needing safe remote access.
Thank you for considering this suggestion!
Best regards,
Hello,
isn't port knocking with a predefined sequence just security through obscurity?
https://en.wikipedia.org/wiki/Security_through_obscurity
Making sure the service behind the port is secure is highly preferred.
There are more powerful features for blocking automated port scans like the included suricata IDS/IPS.
Quoteisn't port knocking with a predefined sequence just security through obscurity?
Yes it is :)
Relaying on this feature to "increase security" is in today measurement more or less a placebo effect.
Regards,
S.
I wouldn't call it security through obscurity, it's more like an unencrypted password.
Not very safe though.
Quote from: Monviech (Cedrik) on November 04, 2024, 04:08:01 PMHello,
isn't port knocking with a predefined sequence just security through obscurity?
https://en.wikipedia.org/wiki/Security_through_obscurity
Making sure the service behind the port is secure is highly preferred.
There are more powerful features for blocking automated port scans like the included suricata IDS/IPS.
It depends on the use case.
Port knocking picks up the low hanging fruit most attackers are looking for to find potential attack vectors for home users..
Since the source IP hasn't passed the knock sequence in the required order, the firewall is dropping all packets for the service port.
Since port for the service is blocked attackers looking for open ports for the low hanging fruit of the day/month/year move on.
IDS/IPS is more geared towards business use as it needs proper monitoring ect to be effective and it has significant overhead.
Port knocking use cases in my opinion are more for a home user.
With IPv6 adoption rates finally rising, more and more home users have access to a free globally routed IP instead of paying for a static IPv4 address which can/will open the door to more and more home users wanting to open up ports.
In my opinion there valid use cases for port knocking.. Read the manpage for knockd before you say its security through
obscurity as the service port is closed until the knock authentication has been satisfied and even then the port is still restricted to unauthenticated IP's.
knockd is only one implementation and its rather complex.. But a port knock can also be done strictly with iptables and not a daemon. An example of a iptables only implementation:
https://www.digitalocean.com/community/tutorials/how-to-configure-port-knocking-using-only-iptables-on-an-ubuntu-vps
I agree it is wrong to believe that port knocking improves security, but it undoubtedly improves reliability. For example i just spend ~50 minutes attempting to get in line to ssh opnsense, that refused browser logins with "CSRF check failed." error. Turned somebody managed to find the ssh port and over jealously attempted to bruteforce it using large bot net, filling all free space with filter.log's. Unfortunately ssh has no distinct answer that can inform bots that no password logins are allowed and non-standard port when found triggers much more intense attacks, as bot writers most likely consider such servers more interesting. In cases like this what turned to be quite successful DDoS would be impossible if i had port knocking set.
Hint: There are basically no port scans on IPv6 for obvious reasons.