[plug] ssh access

Daniel Pittman daniel at rimspace.net
Wed Oct 15 10:34:09 WST 2008

"Tomasz Grzegurzko" <tomasz89 at gmail.com> writes:
> On Wed, Oct 15, 2008 at 8:37 AM, Jon L. Miller
> <jlmiller at mmtnetworks.com.au> wrote:
>> I totally agree and currently in the process of looking at this.
>> Wanted to see what Cisco offers before moving to the gateway server.
> I use fail2ban too and find it excellent. The second idea I can
> suggest if your server is facing the outside world (public IP) is
> knockd.

You would be much better off just using a VPN, or sticking a regular CGI
script in place via HTTPS that you could enter a username and password
to, and which would then modify your firewall rules.

I would recommend the OpenBSD authpf framework, but that uses ssh to
trigger authenticate the rest of the firewall rule changes. :)

Port knocking doesn't add any real value to the equation: in the simple
version you may as well have your CGI script work without
authentication, as there is no particular security that a port scan
couldn't defeat.

In the more complex versions where a series of ports, or the content of
the packet are used, you are sending a password to the server through an
obscure mechanism -- that it is comprised of a series of IP packets
makes no substantial difference.

Port knocking also adds complexity -- significant complexity, in some
cases -- to the security process.  Decades of experience show that
complexity is the deadly enemy of security, and can only be justified by
a significant increase in effective results.  Port knocking, sadly, does
not deliver that additional value.

It does look complicated, though, and that is easy to mistake for being
better, or more secure -- and the occasional argument that "no open
ports" improves security is potentially attractive.  (As in, an
attractive nuisance ;)

Finally, the trivial version (one port, just a packet) is easy to
defeat, and if the idea ever becomes popular it *will* be immediately

Keep in mind that your attackers here, who don't care a whit about your
system in particular, have at their disposal nearly limitless network
and CPU resources at no additional cost to them, so it doesn't have to
be a /big/ profit for breaking past port knocking to be a win for them.

The more complex versions, where multiple packets are sent in a given
order, is prone to network troubles disrupting the "clean transmission
line" model, and only getting more prone to it.

Working around that would require more complexity until, finally, you
have reinvented TCP, except worse, because it doesn't have 40 years of
design improvements behind it.

Anyway, my take-home message: don't bother with port knocking.  Just use
something more standard, tested and trustworthy to achieve exactly the
same security results.


Apologies to anyone who is also subscribed to the other LUG where we
just had this conversation, for the duplication of information. :)

More information about the plug mailing list