From owner-freebsd-questions@FreeBSD.ORG  Wed Jun 24 13:53:17 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 86CDE10656BE
	for <freebsd-questions@freebsd.org>;
	Wed, 24 Jun 2009 13:53:17 +0000 (UTC)
	(envelope-from norgaard@locolomo.org)
Received: from mail.locolomo.org (97.pool85-48-194.static.orange.es
	[85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id 12DBB8FC21
	for <freebsd-questions@freebsd.org>;
	Wed, 24 Jun 2009 13:53:16 +0000 (UTC)
	(envelope-from norgaard@locolomo.org)
Received: from beta.1-16-172-dyn.locolomo.org (beta.1-16-172-dyn.locolomo.org
	[172.16.1.127])
	by mail.locolomo.org (Postfix) with ESMTPSA id 6A5051C1A67;
	Wed, 24 Jun 2009 15:53:15 +0200 (CEST)
Message-ID: <4A422FCB.2050900@locolomo.org>
Date: Wed, 24 Jun 2009 15:53:15 +0200
From: Erik Norgaard <norgaard@locolomo.org>
User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302)
MIME-Version: 1.0
To: RW <rwmaillists@googlemail.com>
References: <b6c05a470906221816l4001b92cu82270632440ee8a@mail.gmail.com>	<4A406D81.3010803@locolomo.org>	<b6c05a470906230653i6ce647c1p415e769b63d9e169@mail.gmail.com>	<4A4109DE.3050000@locolomo.org>	<b6c05a470906231311q48a56fddk77b456dc29695ed3@mail.gmail.com>	<4A413CF8.60901@locolomo.org>
	<20090624143613.6a87a749@gumby.homeunix.com>
In-Reply-To: <20090624143613.6a87a749@gumby.homeunix.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Cc: freebsd-questions@freebsd.org
Subject: Re: Best practices for securing SSH server
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jun 2009 13:53:33 -0000

RW wrote:
> On Tue, 23 Jun 2009 22:37:12 +0200
> Erik Norgaard <norgaard@locolomo.org> wrote:
> 
>> You're right, as long as port-knocking as a first pass authentication 
>> scheme is not in wide spread use, then any attackers will not waste
>> time port-knocking. If ever port-knocking becomes common, attackers
>> will adapt and start knocking.
> 
> It would be fairly straightforward to prevent that by having a
> combination of knocking ports and secret guard ports. When a guard port
> gets hit the sequence is broken, and the source IP gets blocked for a
> while.

Great: Wouldn't that be the same as monitoring failed login attempts and 
temporarily blacklisting ips that repeatedly connect through standard 
methods?

Point remains: Adding port knocking does not solve any security problem, 
it only adds complexity, cost, points of failure, inconvenience etc 
while making your problem appear differently and leaving you with the 
illusion of being more secure.

BR, Erik
-- 
Erik Nørgaard
Ph: +34.666334818/+34.915211157                  http://www.locolomo.org