On Fri, 13 Jan 2006 13:20, you wrote: > On Fri, Jan 13, 2006 at 12:35:19PM +1300, Andrew Errington wrote: > > much covered it. I'd like to second the suggestion of port knocking- > > i.e. port 22 stays closed until certain other ports have been visited > > in a certain order. > > Port knocking is just silly - it's security by obscurity. It is a nice > toy, and fun to play with, but ultimately all it adds to your overall > security is a few bits of data, that could have been added to greater > effect by extending the password/key length.
Oh come now, Jim. If you have a strong opinion why not just come right out with it and say so. Enough beating about the bush. =;^) Actually, now that you have cast a light of harsh reality upon the idea I shall think again before using it. In fact, for a while I had turned off ping responses from my router as a means for hiding from hackers, the idea being if they couldn't ping it they'd think there was nothing there. I read somewhere that most hack attempts go directly to the machine and wouldn't bother pinging first, so it wouldn't help, plus the RFCs state that all machines must respond to ping, so I was being a Bad Person. I turned it back on and haven't seen an increase in the number of hack attempts. I can see the usefulness of port knocking- at home I get barrages of ssh login attempts, sometimes lasting for up to an hour more. Because the port is open it always responds (and always denies access). This leads to some, admittedly small, traffic. Multiply this up by several attempts per day I end up with a measureable amount of network traffic eaten by hacking attempts. I'm paying for this! I suppose if I turned the port off then there would be only one attempt at my IP address per hacker- if they didn't get an ssh response they would move on. Tricky. Andy
