Single Packet Authorization (Linux Journal)
Posted Mar 6, 2007 13:18 UTC (Tue) by RobSeace
Parent article: Single Packet Authorization (Linux Journal)
The one advantage simple port-knocking has over more complex/secure stuff such as this is that you don't need a specialized knocker client... If I knew I'd never need to access my system from any arbitrary system, I'd simply lock it down to prevent access from anywhere except the known places I expect to be connecting from... But, the whole point of something like port-knocking is that you potentially can be connecting from anywhere, so you have to prove up front that it's really you before you'll even be given a chance to try to connect... Now, with simple port-knocking, you can just do the knocks with anything, including plain old telnet... Which means you can do them literally from any machine you might find yourself on, with no need for carrying around special software with you (compiled for every OS/architecture on the planet that you might run into?)... That's a huge advantage, IMHO... Sure, this scheme sounds a lot more secure and cool and all, but a lot less convenient... As someone else said, the real security should come from your sshd (or whatever server you're protecting behind the knock server); just think of the port-knocking as another layer of obfuscation on top of it, with the main goal of hiding it from casual observers, not from stopping any and all possible determined attacks... That is plenty for some (dare I say most?) people's needs...
to post comments)