On 02/28/2011 09:17:25 AM, Johan Söderberg wrote: > A ridiculously simple idea. > Protect your port, say ssh, by adding a code to access it. > Ok, that's nothing new, but maybe how it's done. > > For a client to connect to a service, it need to unlock the port with > a code. > The code is made of predefined blocked ports, that makes pf trigger. > If the first code port is triggered, IP address enters a state with > timestamp. > If the next port that the address triggers, matches the next code > port > within a timeframe, let it enter new state, else lose state. > When all code ports have been triggered in the right order, allow > address to pass. > > Sure it's not safe from MITM, but it protects from scans, and allows > you to connect from dynamic IP addresses. > There are 65536 ports, that gives you 65536^n possible combinations > where n is the number of ports in your code. > So you probably won't need more than 2-3 ports in your code. > > Say what you think! And if you like my brain fart, would you want to > implement it?
Your idea is called port knocking, and it's pointless security by obscurity -- and can be sniffed. If you want it to be secure you make the knock code a ome-time-pad. In which case you may as well use skey for your one-time-pad and be done with it. If you want to "protect the port" redirect repeat offenders off into a honeypot. Karl <k...@meme.com> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein