More SSH 'trolling'

Scot L. Harris webid at cfl.rr.com
Thu Oct 14 19:53:56 UTC 2004 

On Thu, 2004-10-14 at 15:15, Lew Bloch wrote:
> From: Alexander Dalloz
> > If the IPs are dynamically assigned, such an attempt is
> > pointless. What you can do is to use portknocking. This has been
> > suggested and discussed controversial recently here on the list.
> 
> Controversial is correct.  From what I've read, portknocking is useless, 
> worse than useless, really, since it induces an entirely unjustified 
> sense of security.  I will never use it.

"unjustified sense of security"?  I don't really follow that argument. 
Portknocking is simply another method which in combination with other
things can make it more difficult for someone to scan your system and
probe it for vulnerabilities.  

I think the main idea here is to make it just difficult enough so the
people scanning for open or unsecure systems will move on and leave your
system alone.  If they get no response to port 22 then they general move
to the next system that does give them a response.

Nothing short of disconnecting from the Internet entirely is going to be
100% secure.  Once you realize that it is a case of managing the risk to
your system then you can configure things to provide your systems with
what you determine to be sufficient security.  

While I have not used portknocking I view it as a useful tool for
providing remote access to a system without having to leave the access
ports open all the time.  That is really all it does.  It give you a way
to open a port up on your server from the outside which would be
non-trivial to do accidentally.  While you are not using it the port is
closed to anyone running scans and as such they don't have the
opportunity to try dictionary attacks looking for weak passwords on your
system.  I can't see how this could do anything but improve your
security.  Of course you still need to have strong passwords that should
go without saying (but I keep having to tell users that just the same!).

A multi layered defense is always better.  If you simply rely on
perimeter security then once they get inside they own everything. 
Crunchy on the outside, soft and chew on the inside! 


-- 
Scot L. Harris
webid at cfl.rr.com

The life of a repo man is always intense.

More information about the fedora-list mailing list