Best practices for securing SSH server
cpghost
cpghost at cordula.ws
Wed Jun 24 14:02:25 UTC 2009
On Wed, Jun 24, 2009 at 03:53:15PM +0200, Erik Norgaard wrote:
> RW wrote:
> > On Tue, 23 Jun 2009 22:37:12 +0200
> > Erik Norgaard <norgaard at locolomo.org> wrote:
> >
> >> You're right, as long as port-knocking as a first pass authentication
> >> scheme is not in wide spread use, then any attackers will not waste
> >> time port-knocking. If ever port-knocking becomes common, attackers
> >> will adapt and start knocking.
> >
> > It would be fairly straightforward to prevent that by having a
> > combination of knocking ports and secret guard ports. When a guard port
> > gets hit the sequence is broken, and the source IP gets blocked for a
> > while.
>
> Great: Wouldn't that be the same as monitoring failed login attempts and
> temporarily blacklisting ips that repeatedly connect through standard
> methods?
Hmmm..., you're right on this point.
But port knocking can be useful and provide more security *if* you
modify the kocking sequence algorithmically and make it, e.g. a
function of time, source IP/range (and other factors). This could
prevent a whole class of replay-attacks.
Of course, you can modify the keys/passwords algorithmically and
make them a function of time, source IP etc. as well... ;-)
And while we're at it: how about real OPIE? Or combining SSH keys,
OPIE, and port knocking?
> Erik N?rgaard
> Ph: +34.666334818/+34.915211157 http://www.locolomo.org
-cpghost.
--
Cordula's Web. http://www.cordula.ws/
More information about the freebsd-questions
mailing list