My heartfelt thanks for all the assistance there. ffs, you speak like some sort of lord who cannot be bothered assisting the peasants. I get an inkling you eminate for from such lofty heights. Now, I admit I am not on the main bsd list (even if I was, I don't have time to even skim the headers from all the postings it gets) but I have been on the pf list for about 6 months and thought this was a relevant topic for discussion.
Now, I don't think port knocking the latest fad (how it would add to liability is beyond me). Rather, I think it a relevant security implementation for my situation. From the sounds, we will be getting a large number of external contractors, many of whom will be travelling, so this seemed a good fit. Surely you would agree that if a service appears closed, that provides increased security. Additionally, it seems pretty straight forward to implement (even to me who hasn't programmed in about 2 years); so a time vs reward analysis stacks up. I don't see the problem; a simple addition to give additional security. Simply changing the ssh port isn't good enough. Source IP filtering won't cut the mustard as I don't know which IPs people will get when they are using global roaming dial-up services. So, where does that leave me? Either just leave it as is, add a VPN (that I would still like to appear closed) or implement some system to hide the port. Now, leaving it as is will probably be absolutely fine provided the service is kept up to date. Installing a VPN is planned. Adding this extra layer of port security seems prudent and cost effective. So, yeah, whatever, it seems I will go it alone. Cheers Andrew --- jared r r spiegel <[EMAIL PROTECTED]> wrote: > On Fri, Dec 17, 2004 at 06:05:39PM -0500, Roy Morris wrote: > > > If you want to knock off most of the port pounding twits, stop > allowing > > ssh from 'any', filter instead by source. If you can't do that, > because you > > MUST have access from your remote laptop, then maybe try using a > ssh > > rule that says use OS type =my remote OS. > > that would probably work for most intents and purposes, but i > know the pf.conf(5) specifically cautions against using OS > fingerprints > for security enforcement. it suggests they're for policy > implementation at best. > > rather than allowing for your laptop like that, i'd probably > go the route of starting a second sshd listening on whatever > port ( where reserved is likely better than not ) for the > purposes of authpf(8) to allow a hole into tcp:22. > > jared > > -- > > [ openbsd 3.6 GENERIC ( nov 4 ) // i386 ] > Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
