Best practices for securing SSH server

Erik Norgaard norgaard at
Tue Jun 23 20:37:15 UTC 2009

Daniel Underwood wrote:
>> A port-knocking sequence is really nothing different than a shared password.
> Technically and conceptually, that's true.  But "practically", I'm not
> sure you're right.  If in addition to attempting to enumerate the
> space of possible passwords, an attacker also enumerates the space of
> possible port-knocking sequences, then, yes, you're right.  But I am
> willing to bet that the vast majority of attackers DO NOT attempt
> this.  For this reason, I think well-designed port-knocking DOES add
> significant strength to the server.

You're right, as long as port-knocking as a first pass authentication 
scheme is not in wide spread use, then any attackers will not waste time 
port-knocking. If ever port-knocking becomes common, attackers will 
adapt and start knocking. Or: if you want to keep port-knocking useful 
then don't recommend it to anyone!

I think it is a bad idea, a wrong route to go. I think that there are so 
many other options for improving security that are well tested, much 
easier to deploy, cause less user annoyance etc etc.

Since, as said, the knocking sequence is a shared secret, the more users 
you have the more likely it will be disclosed, and the more difficult it 
is to distribute new knocking sequences as more users are affected.

More complexity, more possible failures and errors means more resources 
spent on user support, and more resources spend on configuring the new 
"toy". Resources that could be well spent on improving actual security 
and monitoring actual threats.

You may deploy port-knocking at home for your own curriousity, but it 
has no value on your curriculum.

BR, Erik
Erik Nørgaard
Ph: +34.666334818/+34.915211157        

More information about the freebsd-questions mailing list