Date: Wed, 24 Jun 2009 15:53:15 +0200 From: Erik Norgaard <norgaard@locolomo.org> To: RW <rwmaillists@googlemail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Best practices for securing SSH server Message-ID: <4A422FCB.2050900@locolomo.org> In-Reply-To: <20090624143613.6a87a749@gumby.homeunix.com> References: <b6c05a470906221816l4001b92cu82270632440ee8a@mail.gmail.com> <4A406D81.3010803@locolomo.org> <b6c05a470906230653i6ce647c1p415e769b63d9e169@mail.gmail.com> <4A4109DE.3050000@locolomo.org> <b6c05a470906231311q48a56fddk77b456dc29695ed3@mail.gmail.com> <4A413CF8.60901@locolomo.org> <20090624143613.6a87a749@gumby.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
RW wrote: > On Tue, 23 Jun 2009 22:37:12 +0200 > Erik Norgaard <norgaard@locolomo.org> wrote: > >> You're right, as long as port-knocking as a first pass authentication >> scheme is not in wide spread use, then any attackers will not waste >> time port-knocking. If ever port-knocking becomes common, attackers >> will adapt and start knocking. > > It would be fairly straightforward to prevent that by having a > combination of knocking ports and secret guard ports. When a guard port > gets hit the sequence is broken, and the source IP gets blocked for a > while. Great: Wouldn't that be the same as monitoring failed login attempts and temporarily blacklisting ips that repeatedly connect through standard methods? Point remains: Adding port knocking does not solve any security problem, it only adds complexity, cost, points of failure, inconvenience etc while making your problem appear differently and leaving you with the illusion of being more secure. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A422FCB.2050900>