Well, it appears that it would be as safe as any other vulnerable server behind port knocking. Although there's still the possibility that the backdoor is doing something we aren't aware of yet. So yeah, it's as "safe" as you consider port knocking to be.
That said, just make sure you aren't using the backdoored versions. I don't see how you can reasonably skip this step.
Would ssh servers with port knocking set up be safe from this backdoor?
I'm not sure I got it correctly, but seems the RCE can only be performed after connecting to the ssh server, but if the port is hidden behind a reasonable sequence of tcp/udp knocks, then it won't happen?
I've been using port knocking on ssh servers, and it definitely does not replace proper ssh configuration, but so far seems like a cheap extra layer of defense that might either prevent or give extra time to respond when these ssh vulnerabilities appear.
Rather than port knocking, I prefer IP knocking. The server has several ip addresses and once a correct sequence of connection is made, the ssh port opens. Since so few know about IP knocking, it much safer than port knocking.
Standard or not standard port, you still should use port knocking in a way or another (or only enable it for the specific IPs that can access it ever). Internet don't even should be able to know that you have there a service that is only for you or for a very small amount of people.
If a remote vulnerability is discovered in the server (happened in the past, don't rule it out for the future), you will be attacked, and it won't be a brute force attack to be blocked by fail2ban or similar. You can be scanned in any time, put in a database as "having ssh version x running in y port" and get ready for future use.
And if well simple port knocking could be defeated inspecting your traffic, there are variants like fwknop that are resistant to that kind of interception or replaying.
If you do not have the ability to eavesdrop on the network between my client and my server, then port knocking is essentially unhackable. Port knocking only fails when the malicious party can monitor the network traffic. This is a valid concern, and I would never say that port knocking by itself is all the security one needs. It does however completely block all regular "outsiders" from ever being able to even open a connection to sshd.
If I require 5 ports to be hit in sequence, and blacklist IPs that hit unknown ports, it is extremely unlikely you will ever connect. Now if someone on my local network, at my ISP, or at my hosting provider sniffs my traffic to determine a static knocking sequence... good for them. They're the one unauthorized person who can connect to sshd, without a valid ssh key to authenticate with.
It's a reality that most businesses are not going to invest in setting up a network that cannot be accessed from the internet at large. For such setups, a little bit of obscurity via something like port knocking to prevent every single port scanner in existence from discovering your sshd server must be better than nothing at all.
Use the stuff from that Mozilla wiki page and OpenSSH will be secure enough already. Unless more vulnerabilities are found that apply to such a configuration, or keys are compromised, port knocking in this case isn't going to stop anyone that OpenSSH wouldn't already stop on its own. It's effectively just a pointless layer of security that only adds more hassle to connect.
I'm not saying that port knocking doesn't have uses, just that it doesn't in this case. Unless you're trying to hide the service I guess, but I don't see why that would be necessary.
In short, port knocking is a very, very short/weak password. And is a very weak authentication measure.
This is absolutely true and nobody could argue that.
So if you only did port knocking, or if you depended on port knocking, you're making a bad decision.
I believe in defense in depth, and therefore I think that port knocking on top of everything else you already do has good value - especially considering how simple and lightweight knockd is and my experience of it running stably for years at a time.
Why aren't you concerned that bugs will be found in your port knocking implementation?
I think the main concern with port knocking is that it's observable. You're effectively sending your password in clear, so if someone can intercept or overhear your traffic then your secret is lost. Cryptographic authentication schemes like SSH itself or VPNs do not have this problem.
This is interesting in that it combines the concept of port knocking with a REST interface, which I'm assuming is up to the user to create a front end for.
Unfotunately it also relies on Kubernetes which means that using it for a single system isn't practical. At least, not for this server owner.
My own approach is simply security by obscurity (a non standard port) with APF/BFD doing the needful for locking bots out if they figure out the port. I've had to change ports only once in 6 years, so it's working to keep bots out rather nicely.
And really that's all these things are- a way to keep bots out. A determined attacker will figure this stuff out anyway.
I use port knocking and I don’t take it seriously. Anyone using it in a serious setup is batshit. However, for fun home projects where users install that giant php based file sharing program, or that IoT camera, why not? They don’t have automated intrusion prevention, etc. They can’t understand the code to determine it’s quality, etc.
When the next 0day hits… will it be enough to protect them, yes. After all, they’re not a target and the automated attacks won’t affect them.
Can a theoretical attacker intercept a port knocking sequence? maybe. Would a script kiddie running a new ssh 0day against the entire internet be able to do this? no.
I've been doing this sysadmin thing for a long, long time, and have built some large, high profile platforms,[1][2] and I can tell you that few things have made me happier than port knocking.
Yes, it is a password with a tiny number of "bits". But nobody suggested using only port knocking, so that's not significant.
Yes, if my attacker is sharing the exact same NAT'd IP as me then they have a window to attack ... my fully hardened server, which was no worse than what was presented to them before.
Finally (and this is what makes me happiest) my sshd is not exposed to whatever new exploit might be discovered tomorrow that doesn't require user credentials. It's not exposed to being DOS'd by a buffer overflow vuln. It's not filling my logs with brute forcers all day and night.
if this traffic were intercepted- you'd be able to see port numbers, right?
Sure but I hope the service you're opening up with the knock is actually secure like ssh.
The idea is just that you cant portscan to find something to attack. Its basically the same reasoning behind using non standard ports, but takes it a bit further.
That said, just make sure you aren't using the backdoored versions. I don't see how you can reasonably skip this step.
reply