From owner-freebsd-questions@FreeBSD.ORG Wed Jun 24 14:43:22 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ADCB6106564A for ; Wed, 24 Jun 2009 14:43:22 +0000 (UTC) (envelope-from djuatdelta@gmail.com) Received: from mail-ew0-f226.google.com (mail-ew0-f226.google.com [209.85.219.226]) by mx1.freebsd.org (Postfix) with ESMTP id 38C058FC15 for ; Wed, 24 Jun 2009 14:43:22 +0000 (UTC) (envelope-from djuatdelta@gmail.com) Received: by ewy26 with SMTP id 26so311480ewy.43 for ; Wed, 24 Jun 2009 07:43:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=ucpidqmqObj3WAM67tD8+scyopVRQWpZ9e7yvOShMyM=; b=gqDC0qxehCBi9YsAO+FDyfVCZRMJA6KkIP2cqWvA+UWeK2Mt5VBdGP6RUdJf3WSYz5 b2yCtcbZqYiAqqFK2z9gjtgyZ300597nsvOj4fatcHEiVASGoMECvQqNLnzvPPxrMWZK T3Mv8U6n8/P8rRq497d+OZBk3SKIbPA/In5gs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=YTN1cRXTZlb7bDVY5NkyH6Ow0vxYUrg8EPLRPC2IwRagud1PzWTS4UBeagpeH9QNV9 +Q69JVAGaIsZpR673PpLr1BUaND+i4B/GwegqV75/JKZ5hGCNLNhutwSI7hW5QJU0LF7 k6Rhw4yT96QjIy1YxUaIjIYhNHIBKyBsSErEU= MIME-Version: 1.0 Received: by 10.216.8.213 with SMTP id 63mr412580wer.161.1245854601181; Wed, 24 Jun 2009 07:43:21 -0700 (PDT) In-Reply-To: <4A422FCB.2050900@locolomo.org> References: <4A406D81.3010803@locolomo.org> <4A4109DE.3050000@locolomo.org> <4A413CF8.60901@locolomo.org> <20090624143613.6a87a749@gumby.homeunix.com> <4A422FCB.2050900@locolomo.org> Date: Wed, 24 Jun 2009 10:43:21 -0400 Message-ID: From: Daniel Underwood To: Erik Norgaard Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: RW , freebsd-questions@freebsd.org Subject: Re: Best practices for securing SSH server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jun 2009 14:43:22 -0000 > Point remains: Adding port knocking does not solve any security problem, it only adds > complexity, cost, points of failure, inconvenience etc while making your problem appear > differently and leaving you with the illusion of being more secure. I think that's grossly overstated, if not just plain wrong. Ceteris paribus, a system with port knocking is almost certainly more secure than a system without port knocking. It's not a guarantee against penetration. But even if it's only a heightened "degreee" of security not an additional "kind" of security measure (as you argue), it's still heightened security.