From owner-freebsd-questions@FreeBSD.ORG  Tue Jun 23 16:59:12 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 79FC0106564A
	for <freebsd-questions@freebsd.org>;
	Tue, 23 Jun 2009 16:59:12 +0000 (UTC)
	(envelope-from norgaard@locolomo.org)
Received: from mail.locolomo.org (97.pool85-48-194.static.orange.es
	[85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id 260248FC1C
	for <freebsd-questions@freebsd.org>;
	Tue, 23 Jun 2009 16:59:12 +0000 (UTC)
	(envelope-from norgaard@locolomo.org)
Received: from beta.1-16-172-dyn.locolomo.org (beta.1-16-172-dyn.locolomo.org
	[172.16.1.127])
	by mail.locolomo.org (Postfix) with ESMTPSA id 96B2A1C1A67;
	Tue, 23 Jun 2009 18:59:10 +0200 (CEST)
Message-ID: <4A4109DE.3050000@locolomo.org>
Date: Tue, 23 Jun 2009 18:59:10 +0200
From: Erik Norgaard <norgaard@locolomo.org>
User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302)
MIME-Version: 1.0
To: Daniel Underwood <djuatdelta@gmail.com>
References: <b6c05a470906221816l4001b92cu82270632440ee8a@mail.gmail.com>	
	<4A406D81.3010803@locolomo.org>
	<b6c05a470906230653i6ce647c1p415e769b63d9e169@mail.gmail.com>
In-Reply-To: <b6c05a470906230653i6ce647c1p415e769b63d9e169@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Cc: freebsd-questions@freebsd.org
Subject: Re: Best practices for securing SSH server
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2009 16:59:12 -0000

Daniel Underwood wrote:
>> I do not believe that tricks like running ssh on a
>> non standard port or using port-knocking provide
>> much extra security.
> 
> I can understand that varying the port is not a very strong defensive
> measure, but I don't understand your point about port-knocking.
> 
> If you configure a complex and seemingly random sequence of knocks
> before allowing an IP access to your ssh port, have you not
> significantly strengthened your ssh server?

A port-knocking sequence is really nothing different than a shared 
password. Since there is no user dialog, the sequence has to be known by 
all users accessing the system.

Basically you ask your users to authenticate twice - don't you think you 
could get the same security with a standard deployment insisting on good 
passwords or better yet, using keys?

You add an extra layer of inconvenience and complexity, more things that 
can fail and possibly result in an insecure server:

- dynamically updating firewall rules on the interface facing the 
Internet is not on my list of good practices. loading or flushing rules 
continuously is the recipe for service interruption or exposing your 
server to the net.
- nor is having a sniffer daemon putting the network interface in 
promiscuous mode, a daemon that listen on lots of ports! that really 
sounds attractive. (yup: that's the latest version on portknocking.org).

And it can result in people being unable to access if the knocks are 
filtered at the source.

BR, Erik
-- 
Erik Nørgaard
Ph: +34.666334818/+34.915211157                  http://www.locolomo.org