Best practices for securing SSH server
norgaard at locolomo.org
Tue Jun 23 20:37:15 UTC 2009
Daniel Underwood wrote:
>> A port-knocking sequence is really nothing different than a shared password.
> Technically and conceptually, that's true. But "practically", I'm not
> sure you're right. If in addition to attempting to enumerate the
> space of possible passwords, an attacker also enumerates the space of
> possible port-knocking sequences, then, yes, you're right. But I am
> willing to bet that the vast majority of attackers DO NOT attempt
> this. For this reason, I think well-designed port-knocking DOES add
> significant strength to the server.
You're right, as long as port-knocking as a first pass authentication
scheme is not in wide spread use, then any attackers will not waste time
port-knocking. If ever port-knocking becomes common, attackers will
adapt and start knocking. Or: if you want to keep port-knocking useful
then don't recommend it to anyone!
I think it is a bad idea, a wrong route to go. I think that there are so
many other options for improving security that are well tested, much
easier to deploy, cause less user annoyance etc etc.
Since, as said, the knocking sequence is a shared secret, the more users
you have the more likely it will be disclosed, and the more difficult it
is to distribute new knocking sequences as more users are affected.
More complexity, more possible failures and errors means more resources
spent on user support, and more resources spend on configuring the new
"toy". Resources that could be well spent on improving actual security
and monitoring actual threats.
You may deploy port-knocking at home for your own curriousity, but it
has no value on your curriculum.
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
More information about the freebsd-questions