RW wrote:
On Tue, 23 Jun 2009 22:37:12 +0200
Erik Norgaard <norga...@locolomo.org> wrote:
You're right, as long as port-knocking as a first pass authentication
scheme is not in wide spread use, then any attackers will not waste
time port-knocking. If ever port-knocking becomes common, attackers
will adapt and start knocking.
It would be fairly straightforward to prevent that by having a
combination of knocking ports and secret guard ports. When a guard port
gets hit the sequence is broken, and the source IP gets blocked for a
while.
Great: Wouldn't that be the same as monitoring failed login attempts and
temporarily blacklisting ips that repeatedly connect through standard
methods?
Point remains: Adding port knocking does not solve any security problem,
it only adds complexity, cost, points of failure, inconvenience etc
while making your problem appear differently and leaving you with the
illusion of being more secure.
BR, Erik
--
Erik Nørgaard
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
