Hi,
On Oct 22, 2006, at 4:41 PM, Steffen Wendzel wrote:
this isn't correct. Every service had some security problems in the
past. Imagin that your service X is vulnerable (only since a few h
by a zero day exploit or so) and someone tries to exploit it at
2:00 in
the morning.
but if you run some port knocking service (and your attacker does not
know the port combination/secrect key or even does not know about a
running port knocking system, he can not attack your service.
This is security by obscurity.
if you only need the service for administration, you could do such a
"hiding" of the service. you only would need to open the port by the
portknocking service a few min while you use it to do some
administration.
The thing about running a port knocking service to "protect" or
"hide" other services just adds another point of failure. Can you
promise that this port knocking service which is running with root
privileges, is not vulnerable to some overflow problem that could
allow attackers to just send a knocking sequence that opens up the
whole box?! No thanks. I'll stick with what I've got.
If you're so worried about 0-day exploits for OpenBSD services then
just jail these services you're running with systrace. With Linux you
can use SELinux or AppArmor.
The idea of port knocking is nice at first view but given the extra
complexity it adds and the extra risk it's just not worth it, sorry.
just my thoughts about this,
Tobias W.
