From owner-freebsd-questions@FreeBSD.ORG Wed Jun 24 13:36:30 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E69511065674 for ; Wed, 24 Jun 2009 13:36:30 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-ew0-f226.google.com (mail-ew0-f226.google.com [209.85.219.226]) by mx1.freebsd.org (Postfix) with ESMTP id 70C418FC12 for ; Wed, 24 Jun 2009 13:36:30 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: by ewy26 with SMTP id 26so243167ewy.43 for ; Wed, 24 Jun 2009 06:36:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:subject :message-id:in-reply-to:references:x-mailer:mime-version :content-type:content-transfer-encoding; bh=OarIStYJxDlQD+6ccXafq3Wul9ei2UMh4IaJsCAmWYk=; b=NNR0Ci5YtKeE1pIwSBZUEIzbgJhamtGaVZFxyDpLYYtw/gzQKYeNyzEAvYb8osTtGS S9Vy0TAeLV2nPre0H4cs18qtkUk/JQBWDZrkb2rlHrDBsP1KN7uyhsVASI8kk7ixlc/C Vu4SoHulpF3KABLnprv4lq2Rjuwb6rvHZwTks= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; b=qF/LykG6VHDAhWcCL+JHgDenDOKwnlKfO+bJi7OKpHJV9DCYMyyqQGVEEMwOb3gaD4 UcECqWBpOnXqKERFQ9otwQrtu8NseHVydKvXu9fiDLLe0sS6jJt70sOpXJAKOxfPMEqP Y99HC7l1OU9UeulDl/LgPWHd+8bcJxLCgASHQ= Received: by 10.210.128.17 with SMTP id a17mr1503544ebd.38.1245850589340; Wed, 24 Jun 2009 06:36:29 -0700 (PDT) Received: from gumby.homeunix.com (bb-87-81-140-128.ukonline.co.uk [87.81.140.128]) by mx.google.com with ESMTPS id 28sm2054525eye.56.2009.06.24.06.36.27 (version=SSLv3 cipher=RC4-MD5); Wed, 24 Jun 2009 06:36:28 -0700 (PDT) Date: Wed, 24 Jun 2009 14:36:13 +0100 From: RW To: freebsd-questions@freebsd.org Message-ID: <20090624143613.6a87a749@gumby.homeunix.com> In-Reply-To: <4A413CF8.60901@locolomo.org> References: <4A406D81.3010803@locolomo.org> <4A4109DE.3050000@locolomo.org> <4A413CF8.60901@locolomo.org> X-Mailer: Claws Mail 3.7.1 (GTK+ 2.16.2; i386-portbld-freebsd7.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: Best practices for securing SSH server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jun 2009 13:36:31 -0000 On Tue, 23 Jun 2009 22:37:12 +0200 Erik Norgaard wrote: > You're right, as long as port-knocking as a first pass authentication > scheme is not in wide spread use, then any attackers will not waste > time port-knocking. If ever port-knocking becomes common, attackers > will adapt and start knocking. It would be fairly straightforward to prevent that by having a combination of knocking ports and secret guard ports. When a guard port gets hit the sequence is broken, and the source IP gets blocked for a while.