Date: Tue, 23 Jun 2009 13:20:07 -0400 From: Bill Moran <wmoran@potentialtech.com> To: Erik Norgaard <norgaard@locolomo.org> Cc: Daniel Underwood <djuatdelta@gmail.com>, freebsd-questions@freebsd.org Subject: Re: Best practices for securing SSH server Message-ID: <20090623132007.14d22270.wmoran@potentialtech.com> In-Reply-To: <4A4109DE.3050000@locolomo.org> References: <b6c05a470906221816l4001b92cu82270632440ee8a@mail.gmail.com> <4A406D81.3010803@locolomo.org> <b6c05a470906230653i6ce647c1p415e769b63d9e169@mail.gmail.com> <4A4109DE.3050000@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In response to Erik Norgaard <norgaard@locolomo.org>: > Daniel Underwood wrote: > >> I do not believe that tricks like running ssh on a > >> non standard port or using port-knocking provide > >> much extra security. > > > > I can understand that varying the port is not a very strong defensive > > measure, but I don't understand your point about port-knocking. > > > > If you configure a complex and seemingly random sequence of knocks > > before allowing an IP access to your ssh port, have you not > > significantly strengthened your ssh server? > > A port-knocking sequence is really nothing different than a shared > password. Since there is no user dialog, the sequence has to be known by > all users accessing the system. > > Basically you ask your users to authenticate twice - don't you think you > could get the same security with a standard deployment insisting on good > passwords or better yet, using keys? > > You add an extra layer of inconvenience and complexity, more things that > can fail and possibly result in an insecure server: I would agree with you, except ... > - dynamically updating firewall rules on the interface facing the > Internet is not on my list of good practices. loading or flushing rules > continuously is the recipe for service interruption or exposing your > server to the net. What crappy firewall are you using that needs flushed or reloaded to update rules? Has your packet filtering software been updated since the 80s? > - nor is having a sniffer daemon putting the network interface in > promiscuous mode, a daemon that listen on lots of ports! that really > sounds attractive. (yup: that's the latest version on portknocking.org). Listening on multiple ports is not synonymous with promiscuous interfaces. You should take some time to understand the difference between those two techniques. > And it can result in people being unable to access if the knocks are > filtered at the source. Which can happen anyway if you have an ISP who filters out ssh traffic (which isn't unheard of). What _is_ accomplished by both using a nonstandard port and using knock techniques, is that you don't have the annoyance of all those botnets filling up your logs with attempts to log in as root (if you don't monitor your access logs daily, then I don't want to hear any argument about this). With a knock solution, or running on a nonstandard port, then you know that any login attempts are serious attack attempts, and not just some random, mindless bots. If you're doing proper security monitoring, then reducing that log load is worthwhile. -- Bill Moran http://www.potentialtech.com http://people.collaborativefusion.com/~wmoran/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090623132007.14d22270.wmoran>