From owner-freebsd-questions@FreeBSD.ORG Tue Jun 23 20:11:06 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B82A71065673 for ; Tue, 23 Jun 2009 20:11:06 +0000 (UTC) (envelope-from djuatdelta@gmail.com) Received: from mail-ew0-f212.google.com (mail-ew0-f212.google.com [209.85.219.212]) by mx1.freebsd.org (Postfix) with ESMTP id 1F4578FC36 for ; Tue, 23 Jun 2009 20:11:05 +0000 (UTC) (envelope-from djuatdelta@gmail.com) Received: by ewy8 with SMTP id 8so484705ewy.43 for ; Tue, 23 Jun 2009 13:11:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=+bHeSsdLSTpnuN1cI3UTA8PSJWRxkP+5eCenV7SRak0=; b=A8RN1l+navNDcVnagcLFf6UPi7DRelG6m57BGkp1dRDs8B5O7O5hBwi0L8Va02lhLa SZdzSCDfGywbLkVsl3bVGtIJlfciViWS+8MwBUEIsgqGTCXJFBNppAEikxCGwBqrQDTX N+m25fQeYDXp+tFw9iLY2yRXQWeBoem78D39Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=NJeYV4S717ukTWytw047m80Df9CEk+Jp7cbkTMJIB46pOoWIbX8iUdxsMIbzEW1q2B LUKI0xfvOo1MHGDwFzMsZQ+6ZXwkGcySN+GkpTyFsj83Hho/UtQvXHqAtc4ds1rsWEuc p3wHy5MI+LshrreLmjbp3jt/VLndyItckO9CE= MIME-Version: 1.0 Received: by 10.216.28.200 with SMTP id g50mr131651wea.203.1245787864904; Tue, 23 Jun 2009 13:11:04 -0700 (PDT) In-Reply-To: <4A4109DE.3050000@locolomo.org> References: <4A406D81.3010803@locolomo.org> <4A4109DE.3050000@locolomo.org> Date: Tue, 23 Jun 2009 16:11:04 -0400 Message-ID: From: Daniel Underwood To: Erik Norgaard Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Best practices for securing SSH server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jun 2009 20:11:07 -0000 > A port-knocking sequence is really nothing different than a shared password. Technically and conceptually, that's true. But "practically", I'm not sure you're right. If in addition to attempting to enumerate the space of possible passwords, an attacker also enumerates the space of possible port-knocking sequences, then, yes, you're right. But I am willing to bet that the vast majority of attackers DO NOT attempt this. For this reason, I think well-designed port-knocking DOES add significant strength to the server. If I'm misunderstanding port-knocking, please jump in and correct me...