On Sun, Oct 22, 2006 at 04:41:17PM +0200, Steffen Wendzel wrote: > > this isn't correct. Every service had some security problems in the > past. Imagin that your service X is vulnerable (only since a few h > by a zero day exploit or so) and someone tries to exploit it at 2:00 in > the morning. > > but if you run some port knocking service (and your attacker does not > know the port combination/secrect key or even does not know about a > running port knocking system, he can not attack your service. > > if you only need the service for administration, you could do such a > "hiding" of the service. you only would need to open the port by the > portknocking service a few min while you use it to do some administration.
This recently came up on another mailing list. Someone had a portknocker similar to the one you have. It even had some interesting features that yours doesn't have. So they felt secure. They felt so secure that they were in no hurry to update the system and left a very old, unpatched sshd on the box, guarded by the portknocker. Imagine what happened. Yes, when they had the port opened someone hacked the computer. Real life story, bad consequences. Did the port knocker create this problem? Nooooo, but. If you realize exactly what security you're getting (almost none) then you behave differently and keep your box secure. If you think you're uber-secure when you're not then you're asking for trouble. Are there people out there with sshd using password auth and poor passwords thinking they're safe because of a port knocker? Sure there are. I don't use a port knocker, and I never have. I have friends that do, and I warn them to keep their system patched anyway. If you have an up-to-date system, using a port knocker doesn't hurt security and can provide some small benefits like not being visible to ssh-scanning script kiddies and therefore saving a bit of writing to /var/log. -- Darrin Chandler | Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
