Michael Orlitzky <mich...@orlitzky.com> wrote: > Port knocking is cute, but imparts no extra security.
It does, for instance if you use it to protect sshd and sshd turns out to be vulnerable; remember e.g. the security disaster with Debian. > A better, secure way to achieve the same goal is with OpenVPN. Using yet another service with possible holes to protect a sshd? In this case, I would like port knocking at least for this OpenVPN. > In this case, the absolute worst that could happen is that an attacker > gains access to every open port on your system. While this is bad, it's > not a clever new vulnerability: it's all of the old ones that were > already there. It is exactly the kind of attacks for which one usually uses iptables. You are right, iptables is just one extra step of security, so the worst thing which can happen is that this step is useless. However, if you are willing to risk this only because of your own lazyness in scripting then why do you setup iptables in the first place? > If there are insecure daemons listening on public addresses The problem is that nobody can be sure that some daemon is safe. Even presumably safe services turn out to be victims of new kind of attacks, occassionally.
