Date: Wed, 24 Jun 2009 16:02:21 +0200 From: cpghost <cpghost@cordula.ws> To: Erik Norgaard <norgaard@locolomo.org> Cc: freebsd-questions@freebsd.org Subject: Re: Best practices for securing SSH server Message-ID: <20090624140221.GA1974@phenom.cordula.ws> In-Reply-To: <4A422FCB.2050900@locolomo.org> References: <b6c05a470906221816l4001b92cu82270632440ee8a@mail.gmail.com> <4A406D81.3010803@locolomo.org> <b6c05a470906230653i6ce647c1p415e769b63d9e169@mail.gmail.com> <4A4109DE.3050000@locolomo.org> <b6c05a470906231311q48a56fddk77b456dc29695ed3@mail.gmail.com> <4A413CF8.60901@locolomo.org> <20090624143613.6a87a749@gumby.homeunix.com> <4A422FCB.2050900@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 24, 2009 at 03:53:15PM +0200, Erik Norgaard wrote: > RW wrote: > > On Tue, 23 Jun 2009 22:37:12 +0200 > > Erik Norgaard <norgaard@locolomo.org> wrote: > > > >> You're right, as long as port-knocking as a first pass authentication > >> scheme is not in wide spread use, then any attackers will not waste > >> time port-knocking. If ever port-knocking becomes common, attackers > >> will adapt and start knocking. > > > > It would be fairly straightforward to prevent that by having a > > combination of knocking ports and secret guard ports. When a guard port > > gets hit the sequence is broken, and the source IP gets blocked for a > > while. > > Great: Wouldn't that be the same as monitoring failed login attempts and > temporarily blacklisting ips that repeatedly connect through standard > methods? Hmmm..., you're right on this point. But port knocking can be useful and provide more security *if* you modify the kocking sequence algorithmically and make it, e.g. a function of time, source IP/range (and other factors). This could prevent a whole class of replay-attacks. Of course, you can modify the keys/passwords algorithmically and make them a function of time, source IP etc. as well... ;-) And while we're at it: how about real OPIE? Or combining SSH keys, OPIE, and port knocking? > Erik N?rgaard > Ph: +34.666334818/+34.915211157 http://www.locolomo.org -cpghost. -- Cordula's Web. http://www.cordula.ws/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090624140221.GA1974>