On Fri, Feb 06, 2004 at 06:38:54PM -0300, Alejandro G. Belluscio wrote: > I guess all of you have read about it. But on /. there were a couple of > articles on port knocking which are very interesting. With just ten > knocks, and only using 16384 ports as range you get a 140 bit > combination. If combined to some S/Key or similar scheme, then it would > be _very_ difficult to guess.
If you have to resort to security by obscurity, why not just use TCP_MD5SIG (RFC2385)? Want to hide an sshd from port scanner? Just ignore all TCP packets not properly signed. No need for silly knocking if you can add a signature to each packet. Run ipsecadm tcpmd5 once and all your connections are accepted, no need to run some weird sequence every time you want to connect, or deal with packet order, retransmission, timeouts. Oh, you think this is little-known, underdocumented and obscure? Perfect for the purpose, then, no? :) Daniel
