From owner-freebsd-questions@FreeBSD.ORG  Wed Jun 24 14:02:25 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 57A31106566C
	for <freebsd-questions@freebsd.org>;
	Wed, 24 Jun 2009 14:02:25 +0000 (UTC)
	(envelope-from cpghost@cordula.ws)
Received: from fw.farid-hajji.net (fw.farid-hajji.net [213.146.115.42])
	by mx1.freebsd.org (Postfix) with ESMTP id D84578FC17
	for <freebsd-questions@freebsd.org>;
	Wed, 24 Jun 2009 14:02:24 +0000 (UTC)
	(envelope-from cpghost@cordula.ws)
Received: from phenom.cordula.ws (phenom [192.168.254.60])
	by fw.farid-hajji.net (Postfix) with ESMTP id 2EEF335BEE;
	Wed, 24 Jun 2009 16:02:22 +0200 (CEST)
Date: Wed, 24 Jun 2009 16:02:21 +0200
From: cpghost <cpghost@cordula.ws>
To: Erik Norgaard <norgaard@locolomo.org>
Message-ID: <20090624140221.GA1974@phenom.cordula.ws>
References: <b6c05a470906221816l4001b92cu82270632440ee8a@mail.gmail.com>
	<4A406D81.3010803@locolomo.org>
	<b6c05a470906230653i6ce647c1p415e769b63d9e169@mail.gmail.com>
	<4A4109DE.3050000@locolomo.org>
	<b6c05a470906231311q48a56fddk77b456dc29695ed3@mail.gmail.com>
	<4A413CF8.60901@locolomo.org>
	<20090624143613.6a87a749@gumby.homeunix.com>
	<4A422FCB.2050900@locolomo.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4A422FCB.2050900@locolomo.org>
User-Agent: Mutt/1.5.19 (2009-01-05)
Cc: freebsd-questions@freebsd.org
Subject: Re: Best practices for securing SSH server
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jun 2009 14:02:25 -0000

On Wed, Jun 24, 2009 at 03:53:15PM +0200, Erik Norgaard wrote:
> RW wrote:
> > On Tue, 23 Jun 2009 22:37:12 +0200
> > Erik Norgaard <norgaard@locolomo.org> wrote:
> > 
> >> You're right, as long as port-knocking as a first pass authentication 
> >> scheme is not in wide spread use, then any attackers will not waste
> >> time port-knocking. If ever port-knocking becomes common, attackers
> >> will adapt and start knocking.
> > 
> > It would be fairly straightforward to prevent that by having a
> > combination of knocking ports and secret guard ports. When a guard port
> > gets hit the sequence is broken, and the source IP gets blocked for a
> > while.
> 
> Great: Wouldn't that be the same as monitoring failed login attempts and 
> temporarily blacklisting ips that repeatedly connect through standard 
> methods?

Hmmm..., you're right on this point.

But port knocking can be useful and provide more security *if* you
modify the kocking sequence algorithmically and make it, e.g. a
function of time, source IP/range (and other factors). This could
prevent a whole class of replay-attacks.

Of course, you can modify the keys/passwords algorithmically and
make them a function of time, source IP etc. as well... ;-)

And while we're at it: how about real OPIE? Or combining SSH keys,
OPIE, and port knocking?

> Erik N?rgaard
> Ph: +34.666334818/+34.915211157                  http://www.locolomo.org

-cpghost.

-- 
Cordula's Web. http://www.cordula.ws/