Daniel Underwood wrote:
I do not believe that tricks like running ssh on a
non standard port or using port-knocking provide
much extra security.
I can understand that varying the port is not a very strong defensive
measure, but I don't understand your point about port-knocking.
If you configure a complex and seemingly random sequence of knocks
before allowing an IP access to your ssh port, have you not
significantly strengthened your ssh server?
A port-knocking sequence is really nothing different than a shared
password. Since there is no user dialog, the sequence has to be known by
all users accessing the system.
Basically you ask your users to authenticate twice - don't you think you
could get the same security with a standard deployment insisting on good
passwords or better yet, using keys?
You add an extra layer of inconvenience and complexity, more things that
can fail and possibly result in an insecure server:
- dynamically updating firewall rules on the interface facing the
Internet is not on my list of good practices. loading or flushing rules
continuously is the recipe for service interruption or exposing your
server to the net.
- nor is having a sniffer daemon putting the network interface in
promiscuous mode, a daemon that listen on lots of ports! that really
sounds attractive. (yup: that's the latest version on portknocking.org).
And it can result in people being unable to access if the knocks are
filtered at the source.
BR, Erik
--
Erik Nørgaard
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
