| |||||||||||
portknockingportknockingPosted Mar 8, 2007 23:45 UTC (Thu) by ldo (subscriber, #40946)In reply to: sshguard: Protection for OpenSSH (Linux.com) by yarikoptic Parent article: sshguard: Protection for OpenSSH (Linux.com)
I found simple knocking (even 1 port knocking, which gets closed by "knocking" on near-by ports) very useful and easy to setup natively by iptables... If SSH is like an iron door, then port knocking is like putting an extra layer of cardboard on top of it to try to make it stronger. As a security measure, port knocking is laughable. It's a pushover for something as elementary as a replay attack. As for those SSH password guessers, they're never going to get in if you have good passwords. You can enforce this on your users through appropriate system configuration. And of course you can run your own password-cracking tools, like John the Ripper, just to make sure.
(Log in to post comments)
portknocking Posted Mar 9, 2007 1:12 UTC (Fri) by yarikoptic (subscriber, #36795) [Link] well, taking cardboard analogy further, it is a cardboard which hides where the lock is.
Thus it might help preventing
So it is good what it is worth for: now my daily logwatch is clean and any entry which would report malicious attempt to login would trigger my interest to that event (as opposed to going through lengthy lists of failed attempts from dictionary attacks).
|
|||||||||||