On Wed, Jun 24, 2009 at 03:53:15PM +0200, Erik Norgaard wrote: > RW wrote: > > On Tue, 23 Jun 2009 22:37:12 +0200 > > Erik Norgaard <norga...@locolomo.org> wrote: > > > >> You're right, as long as port-knocking as a first pass authentication > >> scheme is not in wide spread use, then any attackers will not waste > >> time port-knocking. If ever port-knocking becomes common, attackers > >> will adapt and start knocking. > > > > It would be fairly straightforward to prevent that by having a > > combination of knocking ports and secret guard ports. When a guard port > > gets hit the sequence is broken, and the source IP gets blocked for a > > while. > > Great: Wouldn't that be the same as monitoring failed login attempts and > temporarily blacklisting ips that repeatedly connect through standard > methods?
Hmmm..., you're right on this point. But port knocking can be useful and provide more security *if* you modify the kocking sequence algorithmically and make it, e.g. a function of time, source IP/range (and other factors). This could prevent a whole class of replay-attacks. Of course, you can modify the keys/passwords algorithmically and make them a function of time, source IP etc. as well... ;-) And while we're at it: how about real OPIE? Or combining SSH keys, OPIE, and port knocking? > Erik N?rgaard > Ph: +34.666334818/+34.915211157 http://www.locolomo.org -cpghost. -- Cordula's Web. http://www.cordula.ws/ _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"