On 02/28/2011 09:17:25 AM, Johan Söderberg wrote:
> A ridiculously simple idea.
> Protect your port, say ssh, by adding a code to access it.
> Ok, that's nothing new, but maybe how it's done.
>
> For a client to connect to a service, it need to unlock the port with
> a code.
> The code is made of predefined blocked ports, that makes pf trigger.
> If the first code port is triggered, IP address enters a state with
> timestamp.
> If the next port that the address triggers, matches the next code
> port
> within a timeframe, let it enter new state, else lose state.
> When all code ports have been triggered in the right order, allow
> address to pass.
>
> Sure it's not safe from MITM, but it protects from scans, and allows
> you to connect from dynamic IP addresses.
> There are 65536 ports, that gives you 65536^n possible combinations
> where n is the number of ports in your code.
> So you probably won't need more than 2-3 ports in your code.
>
> Say what you think! And if you like my brain fart, would you want to
> implement it?
Your idea is called port knocking, and it's pointless security by
obscurity -- and can be sniffed. If you want it to be
secure you make the knock code a
ome-time-pad. In which case you may as well use skey for your
one-time-pad and be done with it.
If you want to "protect the port" redirect repeat offenders off
into a honeypot.
Karl
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
