So it is ok for me.
I’m off the opinion since you can’t make your system 100% secure _ever_ making your system as undesirable for an attacker as you can is the best protection for general server purposes.
Of course, _if_ someone is inclined to get in (commercial / governmental / person-based hacks) this still is worthless since if they aren’t totally braindead over time they _will_ find a way in.. No matter how steep the security measures are.

So from my point of view making the system less desirable as a target is one of port knocking’s main purposes and this is what it’s good at.

Anyways you are right that the original proof-of-concept-like implementation of port knocking doesn’t make too much sense (i.e. using a protocol that provides feedback.. But then who tells you my firewall gives any feedback for not purposefully opened ports? No change there really.).

MitM still is one of the bigger things, but there is public-key-crypto for this.. Generally speaking.

Regards,
Frederic

Alternative ports are not more secure. A 5 minute scan with nmap will reveal services which are running on nonstandard ports. And as you pointed out above, any casual observer of legitimate traffic can completely detect your alternative port, and defeat the system.

A service that selectively opens holes in a firewall when it receives a request is far simpler than ‘port knocking’ and removes the silly random sequence of ports requirement. This request can arrive in any one of a hundred ways which do not acknowledge their receipt. Email, UDP, whatever.

However, an equivalent amount of security is gained against so-called 0 day scanners/worms by simply moving your services to a non-standard port.

The point I was trying to make is that port knocking is a complicated solution which does not add a significant level of security to a system. If your threat model is 0day exploits of a service only accessible to trusted clients running special software, then there are many better solutions which do not employ simple StO techniques. Alternate ports, IPSec and VPNs are those that come to mind immediately. Both place similar requirements upon your user base yet have far, far simpler deployment and support needs.

Based upon these things, I contend that port knocking is an inferior, insufficient and weak solution to a problem with many other valid solutions. Thus, “worthless”. Of no value.

You ask “If port knocking is no more secure than plaintext authenticated protocols, why would anyone protect a service like SSH with it?” As I just stated, Port Knocking itself can be made quite secure, however you misunderstand the point of its use. If your ports are open then the services running on those ports are easily open to attack. If I have a 0day ssh exploit… or even an exploit for an FTP server you have not yet patched, you will be owned, simple as that. I know that my box gets scanned constantly and random IPs connect to my open ports trying for ways to get in. Port knocking allows you to hide those ports from the world, and, with the proper implementation, no amount of network sniffing will help an attacker get in.

To sum things up, although Port Knocking is in the realm of ’security through obscurity’, one must remember that there is nothing wrong with that. StO is only a bad thing when it becomes your ONLY line of defence. In this case, with a strong implementation, it provides an excellent extra layer of protection for many different services, each of which may be vulnerable to countless different types of attacks. And even if the port knocking layer is circumvented… what do you lose? Nothing… the attacker then has to deal with the access control of the service he is attacking. You have only gained by: a) Thwarting most attacks by making your ports invisible. b) Being able to detect a potential attack if your firewall detects some unusual ‘knocking activity’.

I’d say that PKing is not quite ‘worthless’ as you implied.