Ideas for port knocking plus VPN

syadnom · June 19, 2012, 8:13pm

Hi all. Just wondering if anyone else has done port knocking plus VPN tunnels for added security.

Here is what I am doing.
I’m using a few pings with set packet sizes to create a 2 knock address list that I will use to accept PPTP traffic. I timeout the access to the address list after 1 day. I schedule the ping script every 5 minutes so it maintains the proper IP addresses and any dynamic IP sites will get added to the list shortly.
my code is below.

Anyone else doing anything like this? Did I reinvent the wheel and/or is there a better way?
The goal is to tighten up security on the PPTP server and obfuscate the mechanism for creating a tunnel.

On satelite:
/system script
add name=knock54_67 policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source=
“ping REMOVEIP size=54 count=3\r
\ndelay delay-time=3\r
\nping REMOTEIP size=67 count=3”

/system scheduler
add disabled=no interval=12h name=knockVPN on-event=“/system script run [/system script find where name="knock54_67"]” policy=
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api start-date=jan/01/2012 start-time=00:05:00

On VPN server:
/ip firewall filter
add action=add-src-to-address-list address-list=size54 address-list-timeout=1m chain=input comment=“knock 54” disabled=no packet-size=54 protocol=icmp
add action=add-src-to-address-list address-list=size67 address-list-timeout=4w3d chain=input comment=“knock 67 allow” disabled=no packet-size=67 protocol=
icmp src-address-list=size54
add action=accept chain=input comment=“PPTP inbound TCP KNOCK!” disabled=no dst-port=47,443,1723 protocol=tcp src-address-list=size67
add action=accept chain=input comment=“PPTP inbound GRE Knock!” disabled=no protocol=gre src-address-list=size67
add action=drop chain=input disabled=no in-interface=ether1-gateway

jandafields · June 29, 2012, 8:18pm

syadnom:

Hi all. Just wondering if anyone else has done port knocking plus VPN tunnels for added security.

Here is what I am doing.
I’m using a few pings with set packet sizes to create a 2 knock address list that I will use to accept PPTP traffic. I timeout the access to the address list after 1 day. I schedule the ping script every 5 minutes so it maintains the proper IP addresses and any dynamic IP sites will get added to the list shortly.
my code is below.

Anyone else doing anything like this? Did I reinvent the wheel and/or is there a better way?
The goal is to tighten up security on the PPTP server and obfuscate the mechanism for creating a tunnel.

On satelite:
/system script
add name=knock54_67 policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source=
“ping REMOVEIP size=54 count=3\r
\ndelay delay-time=3\r
\nping REMOTEIP size=67 count=3”

/system scheduler
add disabled=no interval=12h name=knockVPN on-event=“/system script run [/system script find where name="knock54_67"]” policy=
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api start-date=jan/01/2012 start-time=00:05:00

On VPN server:
/ip firewall filter
add action=add-src-to-address-list address-list=size54 address-list-timeout=1m chain=input comment=“knock 54” disabled=no packet-size=54 protocol=icmp
add action=add-src-to-address-list address-list=size67 address-list-timeout=4w3d chain=input comment=“knock 67 allow” disabled=no packet-size=67 protocol=
icmp src-address-list=size54
add action=accept chain=input comment=“PPTP inbound TCP KNOCK!” disabled=no dst-port=47,443,1723 protocol=tcp src-address-list=size67
add action=accept chain=input comment=“PPTP inbound GRE Knock!” disabled=no protocol=gre src-address-list=size67
add action=drop chain=input disabled=no in-interface=ether1-gateway

Security by obfuscation = False sense of security.

You should consider simply going with a secure VPN tunnel like SSTP or IPSEC or OVPN instead of making PPTP appear more secure than what it really is.

syadnom · June 29, 2012, 8:36pm

First, this is not obfuscation. Requiring a correct sequence of events or statements is by definition a password. This is a password consisting of specificing ‘words’ in a specific order within a specific timeframe. obfuscation would be changing the ports the pptp server ran on.

This does increase the security of pptp. Firstly, brute force password attacks are useless without knowing the knock code to first get through the front door. Secondly, a MS-CHAP hash attack might be able to recover the user and password for the pptp tunnel, but would still have to defeat the knock code to attempt a dial in.

OVPN on mikrotik sucks, it is TCP only and does not do the job. SSTP is junk, it is no good for site to site tunnels and is prone to drops on minor packet loss and takes to long to dial to recover from dropped packets. IPSEC is a pain because there is no tunnel interface.