Date: Fri, 31 Aug 2001 17:51:43 -0400 (EDT) From: Rob Simmons <rsimmons@wlcg.com> To: Eric Anderson <anderson@centtech.com> Cc: Not Going to Tell You <luckywolf19@hotmail.com>, <security@freebsd.org> Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. Message-ID: <20010831174446.R50234-100000@mail.wlcg.com> In-Reply-To: <3B8FF3B7.39F7646E@centtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Why not require the incoming packets to be spoofed from a preordained set of IP addresses to obfuscate it even more. Robert Simmons Systems Administrator http://www.wlcg.com/ On Fri, 31 Aug 2001, Eric Anderson wrote: > I guess what I meant by tight was that you would only allow packets from > know trusted ip's (like the one's you would be coming from) anad deny > all to everyone else. Of course someone could spoof your ip, but they > would have a hard time finding out that ip. The comment on sniffing was > to cover the bases, not to say it happens all the time, but you can't > rule things out on the basis that "99.9% of all hackers".. thats a bad > mentality to have when dealing with security issues I think.. It's a > good idea, I'm just asking what benefit it gives you over a strict > ipfilter list? > > Also, would you have a "client" tool to use to do this? if it was > software that did it, wouldn't it be better to do a LOT of ports, in a > certain order, etc? Like 100-200? 5 is way too few to make it > unhackable. By the way, guessing key sequences isn't hard, it's simple, > it just takes time, and that's something that computers have a lot of. > Yes, it would take a long time, but it could do it.. I'm just saying it > could be a false security. > > Why not do something thats based on time? Like, sshd (or anything you > want) will be at port X at time Y depending on Z (where Z is a 'salt' > kind of thing you define). So, using an algorithm with X, Y, and Z, and > the time, your server and client use the same calculations to find what > X will be at a given Y. You would just need your clocks synced. This > isn't perfect either, just more stuff to throw in to the mess. :) > > Eric To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010831174446.R50234-100000>