LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

agree

agree

Posted Mar 6, 2007 8:41 UTC (Tue) by niner (subscriber, #26151)
In reply to: agree by ArbitraryConstant
Parent article: Single Packet Authorization (Linux Journal)

Port knocking has just one advantage over plain ssh: it keeps your logs free of thousands of failed login attempts due to brute force ssh guessing by automated scripts.
It's not security, just a little more convenience.

It's the same as with simple text-based CAPTCHAs like addition of two numbers. They are very easily broken and scripted even by the youngest script kiddie. But this assumes, that there is a human individual interested in your site. And in most cases there just isn't.

(Log in to post comments)

agree

Posted Mar 6, 2007 14:30 UTC (Tue) by drag (subscriber, #31333) [Link]

If you want to avoid script kiddies then stick have your ssh session run on port 23 instead of port 22 (or whatever port you want). At least that way you avoid the massive amount of traffic that automated scanners generate.

That's pretty much all you have to do to have fairly clean and relevent logs.

agree

Posted Mar 6, 2007 15:27 UTC (Tue) by bronson (subscriber, #4806) [Link]

nmap will find sshd on port 23 without even breaking a sweat. It will also eventually discover it on port 31337, even if you aggressively block portscanning. But it will never find your knock sequence.

I agree that moving sshd's listening port currently deters many script kiddies. But it's like greylisting: it's utterly trivial to get around. Once a lot of people put sshd on different ports, the kiddies will just learn how to use nmap.

agree

Posted Mar 6, 2007 18:17 UTC (Tue) by ofeeley (guest, #36105) [Link]

And capturing a list of hostile machine's IP addresses and adding them to /etc/hosts.deny is nice. As long as you're using ssh keys the script kiddie attacks are just providing a handy list of IP's to treat as hostile with very little actual risk.

Not sure I agree

Posted Mar 6, 2007 23:09 UTC (Tue) by bronson (subscriber, #4806) [Link]

There's a fine line between banning hostile IPs and DOSing yourself. :)

A lot (most?) of the traffic will be arriving on dynamic or shared IP addresses. Just because one packet was hostile, that doesn't mean that all traffic from that address will be hostile. Imagine visiting your parents and not being able to log to your production server just because some script kiddie managed to get most of AOL's proxy IPs on your block list.

Also, I'm not sure that keeping a list of IPs actually buys you much. Most of the script kiddies responsible for this noise won't bother trying any other attack against you. And a determined attacker would never try something as noisy as a dictionary attack. Presumably he would already know that you're using pubkey authentication and a dictionary attack would be futile anyway.

So... Keeping a list of mostly harmless script kiddie IPs doesn't strike me as a very worthwhile endeavor...?

agree

Posted Mar 6, 2007 19:31 UTC (Tue) by ArbitraryConstant (guest, #42725) [Link]

meh

Just rate-limit SSH connections. You can even simply block IPs that have more than a certain number of failed login attempts in a given period of time.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds