Single Packet Authorization (Linux Journal)
Posted Mar 7, 2007 16:31 UTC (Wed) by bronson
In reply to: Single Packet Authorization (Linux Journal)
Parent article: Single Packet Authorization (Linux Journal)
A few thoughts...
If you're saying that hiding a machine deep in IPv6 space is poor security, just like port knocking is poor security, then we are in agreement. :)
I use the same knock sequence on every server. Port knocking is bad security, why pretend otherwise? But, here's the thing: even a simple, static 3-port sequence significantly raises the bar to touching the good security. With port knocking, when I see multiple failed login attempts in my logs, I know that something is wrong and I'll bring the heavy immediately.
Port knocking is not about adding more security. It's about eliminating the noise that would otherwise hide a determined attacker.
As I said before, I do have pubkey login on every ssh machine I maintain. We pubkey users seem to be a tiny minority, unfortunately. I was just explaining why I think that many admins either don't do it or, if they try, do it badly. It's takes forethought to securely scale up to many admins on many machines. It isn't plug-and-chug.
Because port knocking can be done entirely with iptables rules, it doesn't need to add appreciably to your threat surface. It just adds the 'recent' module, which seems to be a well written module. SPA, with its dedicated listening daemon, adds significantly to your threat surface. A quick google search finds this article, which appears to be good but isn't the one I followed: http://www.soloport.com/iptables.html .
Here's a much more thorough treatement that I just found: http://web.mac.com/s.j/iWeb/Security/Port%20Knocking%20an... I haven't read the whole thing yet but, reading the conclusion, I think Sebastien Jeanquier is spot on.
Does that make my position a little more clear?
to post comments)