Date: Tue, 23 Jun 2009 22:37:12 +0200 From: Erik Norgaard <norgaard@locolomo.org> To: Daniel Underwood <djuatdelta@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Best practices for securing SSH server Message-ID: <4A413CF8.60901@locolomo.org> In-Reply-To: <b6c05a470906231311q48a56fddk77b456dc29695ed3@mail.gmail.com> References: <b6c05a470906221816l4001b92cu82270632440ee8a@mail.gmail.com> <4A406D81.3010803@locolomo.org> <b6c05a470906230653i6ce647c1p415e769b63d9e169@mail.gmail.com> <4A4109DE.3050000@locolomo.org> <b6c05a470906231311q48a56fddk77b456dc29695ed3@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Daniel Underwood wrote: >> A port-knocking sequence is really nothing different than a shared password. > > Technically and conceptually, that's true. But "practically", I'm not > sure you're right. If in addition to attempting to enumerate the > space of possible passwords, an attacker also enumerates the space of > possible port-knocking sequences, then, yes, you're right. But I am > willing to bet that the vast majority of attackers DO NOT attempt > this. For this reason, I think well-designed port-knocking DOES add > significant strength to the server. You're right, as long as port-knocking as a first pass authentication scheme is not in wide spread use, then any attackers will not waste time port-knocking. If ever port-knocking becomes common, attackers will adapt and start knocking. Or: if you want to keep port-knocking useful then don't recommend it to anyone! I think it is a bad idea, a wrong route to go. I think that there are so many other options for improving security that are well tested, much easier to deploy, cause less user annoyance etc etc. Since, as said, the knocking sequence is a shared secret, the more users you have the more likely it will be disclosed, and the more difficult it is to distribute new knocking sequences as more users are affected. More complexity, more possible failures and errors means more resources spent on user support, and more resources spend on configuring the new "toy". Resources that could be well spent on improving actual security and monitoring actual threats. You may deploy port-knocking at home for your own curriousity, but it has no value on your curriculum. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A413CF8.60901>