From owner-freebsd-questions@FreeBSD.ORG Sun Mar 21 09:39:49 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 787451065672 for ; Sun, 21 Mar 2010 09:39:49 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from mail.locolomo.org (97.pool85-48-194.static.orange.es [85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id 241DD8FC19 for ; Sun, 21 Mar 2010 09:39:49 +0000 (UTC) Received: from beta.local (ppp-93-104-79-92.dynamic.mnet-online.de [93.104.79.92]) by mail.locolomo.org (Postfix) with ESMTPSA id 8CCF91C0871 for ; Sun, 21 Mar 2010 10:39:47 +0100 (CET) Message-ID: <4BA5E961.5020902@locolomo.org> Date: Sun, 21 Mar 2010 10:39:45 +0100 From: Erik Norgaard User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.8) Gecko/20100227 Lightning/1.0b1 Thunderbird/3.0.3 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <201003201318.o2KDIcIt001241@fix.fantomatic.co.uk> <87wrx69b1l.fsf@upnet.gr> <45c7a5dcf32819443b68c881ddde9135.squirrel@pop.pknet.net> In-Reply-To: <45c7a5dcf32819443b68c881ddde9135.squirrel@pop.pknet.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: securing sshd X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Mar 2010 09:39:49 -0000 On 21/03/10 02:27, Peter wrote: > On the same line, portknocking with pf: Port knocking suck: If you have to knock a single time on the secret port you might just have no added security at all, could be that the port scanner first knocked on the secret port then on the ssh port. If you have to knock multiple times on the secret port, same thing, usually when you scan for open ports, multiple packets are sent in case of packet loss. You can't use timing between packets because this may change on the path. Yet you do need to implement timeouts to avoid a halfway knocked sequence. If you have to knock various ports, you can't rely on packets arriving in a particular sequence. And even if you did, the port scanner might just get that order right. If your secret is to knock port 1234 and then port 2345 nmap might do just that when scanning ports 0-10000. And if the secret is the reverse order, again, nmap might just do that because multiple packets are sent to each port. If you require more than a single knock you have to monitor also for wrong knocks or a simple nmap scan may be just sufficient to expose your server as in the example above. A port knock or port knock sequence is a shared password that cannot be encrypted. Since there is no previous user identification the knocking is the same for all users. It's not encrypted because the secret is in the port number you knock. This is possibly the worst kind of secret you can manage. If you find yourself thinking you need port knocking, then your passwords are not strong enough. It is far better to use longer and more complex passwords: They are individual for each user and encrypted. Then you have the problem of monitoring established connections to flush the tables once a session is terminated. Port knocking adds complexity to your server, meaning more things can go wrong, and adding yet another attack vector for the intruder. Having a script to automatically update a live rule set is a recipe for disaster. It's as unuserfriendly and impractical as it gets: The more ports you have to knock the higher the probability that some packets will be filtered when you're behind somebody else's firewall. You can be most certain that you can't convince the admin of some corporate network to open up for your port knocking. Because of the build in stealth you have no way of knowing if packets are dropped or filtered. And the user will have to accept a delay for your port knocking script to update the rules. You add complexity for the user, now they have your special port knocking client, know the secret, on top of carrying around their private ssh keys etc. Port knocking suck at security: It does not solve a single existing problem but introduces a host of other problems. Use it at home for playing around and learning about protocols and stuff, but please don't give people the illusion that their security problems will be solved with port knocking. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org