On Thu, 2004-10-14 at 15:15, Lew Bloch wrote: > From: Alexander Dalloz > > If the IPs are dynamically assigned, such an attempt is > > pointless. What you can do is to use portknocking. This has been > > suggested and discussed controversial recently here on the list. > > Controversial is correct. From what I've read, portknocking is useless, > worse than useless, really, since it induces an entirely unjustified > sense of security. I will never use it. "unjustified sense of security"? I don't really follow that argument. Portknocking is simply another method which in combination with other things can make it more difficult for someone to scan your system and probe it for vulnerabilities. I think the main idea here is to make it just difficult enough so the people scanning for open or unsecure systems will move on and leave your system alone. If they get no response to port 22 then they general move to the next system that does give them a response. Nothing short of disconnecting from the Internet entirely is going to be 100% secure. Once you realize that it is a case of managing the risk to your system then you can configure things to provide your systems with what you determine to be sufficient security. While I have not used portknocking I view it as a useful tool for providing remote access to a system without having to leave the access ports open all the time. That is really all it does. It give you a way to open a port up on your server from the outside which would be non-trivial to do accidentally. While you are not using it the port is closed to anyone running scans and as such they don't have the opportunity to try dictionary attacks looking for weak passwords on your system. I can't see how this could do anything but improve your security. Of course you still need to have strong passwords that should go without saying (but I keep having to tell users that just the same!). A multi layered defense is always better. If you simply rely on perimeter security then once they get inside they own everything. Crunchy on the outside, soft and chew on the inside! -- Scot L. Harris webid@xxxxxxxxxx The life of a repo man is always intense.
