From owner-freebsd-questions@FreeBSD.ORG Tue Jun 23 20:37:15 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3DA9B106570D for ; Tue, 23 Jun 2009 20:37:15 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from mail.locolomo.org (97.pool85-48-194.static.orange.es [85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id CCD658FC1F for ; Tue, 23 Jun 2009 20:37:14 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from beta.1-16-172-dyn.locolomo.org (beta.1-16-172-dyn.locolomo.org [172.16.1.127]) by mail.locolomo.org (Postfix) with ESMTPSA id 4965A1C1A67; Tue, 23 Jun 2009 22:37:13 +0200 (CEST) Message-ID: <4A413CF8.60901@locolomo.org> Date: Tue, 23 Jun 2009 22:37:12 +0200 From: Erik Norgaard User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302) MIME-Version: 1.0 To: Daniel Underwood References: <4A406D81.3010803@locolomo.org> <4A4109DE.3050000@locolomo.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-questions@freebsd.org Subject: Re: Best practices for securing SSH server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jun 2009 20:37:15 -0000 Daniel Underwood wrote: >> A port-knocking sequence is really nothing different than a shared password. > > Technically and conceptually, that's true. But "practically", I'm not > sure you're right. If in addition to attempting to enumerate the > space of possible passwords, an attacker also enumerates the space of > possible port-knocking sequences, then, yes, you're right. But I am > willing to bet that the vast majority of attackers DO NOT attempt > this. For this reason, I think well-designed port-knocking DOES add > significant strength to the server. You're right, as long as port-knocking as a first pass authentication scheme is not in wide spread use, then any attackers will not waste time port-knocking. If ever port-knocking becomes common, attackers will adapt and start knocking. Or: if you want to keep port-knocking useful then don't recommend it to anyone! I think it is a bad idea, a wrong route to go. I think that there are so many other options for improving security that are well tested, much easier to deploy, cause less user annoyance etc etc. Since, as said, the knocking sequence is a shared secret, the more users you have the more likely it will be disclosed, and the more difficult it is to distribute new knocking sequences as more users are affected. More complexity, more possible failures and errors means more resources spent on user support, and more resources spend on configuring the new "toy". Resources that could be well spent on improving actual security and monitoring actual threats. You may deploy port-knocking at home for your own curriousity, but it has no value on your curriculum. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org