Tim Churches wrote: > For a sufficiently long but still memorable password contained mixed > case and numbers, quite a lot of brute force is needed... but in > principle you are correct. However, one can always use knockd as an > additional layer of protection against robots looking for open ports: > see > http://manpages.debian.net/cgi-bin/display_man.cgi?id=4ea992e84847c4e8fd7ab92c116192d3&format=html > in which the example of knocking on ports 7000, 8000 and 9000 in quick > succession causes port 22 to be opened for a short period to accept > connections via sshd. Of course, you still need to authenticate via sshd > in the usual fashion. In practice, one would use a longer and more > random series of port knocks. The knock utility is used to conveniently > issue the knock sequence - see > http://manpages.debian.net/cgi-bin/display_man.cgi?id=e0961894c19d5c21681820222cef1f7f&format=html > > Note that none of the ports used for the knock sequence are actually > opened - knockd detects that someone has tried to access those ports > (knocked on them), but failed because they are closed.
I should add that knockd does not protect against attacks by your ISP (or their staff) as they can easily monitor the sequence of port knocking attempts which unlock your door - in fact it is vulnerable to anyone able to monitor the packets sent by whatever client you are using to your server, - hence you still need other means of authentication. But it is an excellent defence against random hackers, especially robots. > It works a treat for any non-public service. No good for public-access > Web servers, of course. I am told that it is especially good for getting > around the restriction of certain ISPs on hosted services and incoming > connections, because no open ports are visible to teh ISP's port scans - > nor to hacker robots for that matter. > >> Like all security, one prefers to be a harder to an easier target so >> attackers will move on. Works fine if what you protect has relatively >> little value. A friend recently related a story of hearing a bunch of >> men walking down their back lane one night "don't do that one, it has an >> alarm - see the box over there. This one is well hidden behind the >> fence...." >> >> sshdfilter may be useful. anyone know anything about it??? >> http://www.csc.liv.ac.uk/~greg/sshdfilter/ > > Hmmm, looks useful. But try knockd (perhaps in addition, if you are > really paranoid) - with a 5 or 6 random port sequence (for which the > chance of guessing the sequence is vanishingly small). Here is some more > discussion of knockd and ssh: > http://frobnosticate.com/?p=81 > > Tim C > > _______________________________________________ > Gpcg_talk mailing list > [email protected] > http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk > _______________________________________________ Gpcg_talk mailing list [email protected] http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk
