Is port knocking a viable solution for a shared webhosting server?

2 posts / 0 new
Last post
#1 Fri, 10/27/2017 - 15:02
adamjedgar

Is port knocking a viable solution for a shared webhosting server?

I was reading another thread and noticed one of the answers made mention of port knocking. I havent heard of this before and it raised my interest.

So after a tiny bit of "googling" my basic understand of port knocking is that port/s normally used for accessing something like a control panel...ie https://server3.foo.com:10000/ are actually always closed.

In order to login to said port, one must enter a series of perhaps 3 preliminary port login requests in the correct sequence upon which an application such as fail2ban, iptables or the like would recognise the correct sequence, open said port, thus allowing the user to finally enter the webmin panel url on port 10000 (or custom one) and login to dashboard.

The idea is that anyone attempt something like a brute force hack would have almost no idea what port is being used, or whether or not they are indeed even hitting the correct sequence. I think i read somewhere that the statistical chances of a successful hack are are so unlikely the odds against it are in the trillions.

Having said that, i also read that one of the downsides is that this kind of configuration can also work against the server management in that it provides a single point of failure that would also lock everyone out should it be corrupted?

So is this a viable option/additon to ones security practices? Pro's Con's from the webhosting server experts please?

Sun, 11/05/2017 - 15:09
Diabolico
Diabolico's picture

Short answer: No.
Long answer: Basically you should explain/teach each customer how to use it and then is still left to them to do this manually or using some software (for win or linux). Doing it manually there is a real chance your clients will use more time than what is set for port knocking which will invalidate even correct sequence. Other solution is using a software for that and not many want or like a hassle of hawing specialized software just to be able to login.
For shared hosting you will need to keep open some ports and instead use other software like Fail2Ban, Immunify360, CSF and so on...

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Topic locked