"Owen Townend" <[EMAIL PROTECTED]> writes:
> 2008/10/12 Daniel Pittman <[EMAIL PROTECTED]>:
>
> [snip]
>> To me, this is like airport security: I am all in favour of securing air
>> travel. I am not in favour of doing things that make people *feel*
>> secure without actually doing a damn thing.
>
> Just to quickly weigh in on this... Port knocking, as long as it is
> not the entire security strategy could be a relevent addition here.
> The problem as stated by the OP is 'idiots from eastern Europe and
> Russia tring to crack my server'.
*nod* I don't actually disagree.
> The layer of obscurity that port knocking adds could be considered
> akin to changing the port number and even that small change often
> drops the number of attempts to zero (judging by the many reports and
> responses on other lists and forums).
Just as long as, you know, it doesn't get broadly taken up, at which
point the value drops to zero. ;)
> If someone is actually trying to break _your_ server then it won't
> help much, as you said, but if the intent is to break _a_ server then
> it may be sufficient to make them move on. In this regard a really
> simple sequence is just as effective as anything more complex.
I don't actually disagree with you here: it can add some value, for you,
while it remains essentially ignored by the wider community.
(Well, provided that the port knocking daemon doesn't add additional
vulnerabilities, which for the trivial "watch the firewall logs"
implementation, it almost certainly doesn't.)
I think that y'all would be much better off using something like a VPN
which provides a much more standard, tested and secure solution, or
something like the Apache/CGI solution.
Those also have the advantage that they /continue/ to work no matter
what other people do. (Plus, you know, real security at about the same
setup cost ;)
> The vaunted airport 'security theatre' efforts are similar here in
> that they help prevent casual or impulsive incidents but (arguably)
> don't do much for any true, concerted efforts.
I don't think that there are many casual or impulsive efforts to destroy
or hijack planes -- or to brute force SSH passwords, come to that -- but
I take your point.
Regards,
Daniel
Footnotes:
[1] I say "generally" because I am not aware of any incidents of this
type, ever, but I am only a casual student of this sort of thing,
really.
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
