| 1 |
boger said the following: |
| 2 |
> Hello Kirk, |
| 3 |
> |
| 4 |
> I'll appreciate it ;) |
| 5 |
> |
| 6 |
> Goggling gives a lot of links to libpcap based port knockers, but I dislike idea always running in promiscuous mode. Also "magic packet" is a sort of overkill for me, because I need access from random locations with different OS'es preferably without any additional tools. |
| 7 |
> If computer is untrusted, after logon I can change knock sequence without leaving any keys behind. Even if password gets compromised is not so dangerous in this scenario. |
| 8 |
> |
| 9 |
> By iptables based I mean using ulog or ipq to forward packets to knock daemon, thus its undetectable from outside and can be very fast. |
| 10 |
> |
| 11 |
> About a year ago I tested 5 or 6 port knockers but I didn't find any |
| 12 |
> suitable for me. Some had terrible cpu usage on my machine, |
| 13 |
> some not enough flexible configuration. |
| 14 |
> |
| 15 |
> |
| 16 |
> KH> Yes, there are. I use one for my work servers that is iptables based. |
| 17 |
> KH> I don't have any links for you unfortunately but I have seen them. If |
| 18 |
> KH> you are really interested I can probably track down one I saw that used |
| 19 |
> KH> iptables and was a combination style. I also know of an open source |
| 20 |
> KH> "magic packet" style that I could probably find a link for if you were |
| 21 |
> KH> interested. |
| 22 |
> |
| 23 |
|
| 24 |
It would appear that I was mistaken in thinking that the two I have used |
| 25 |
were iptables based. Both are dependent upon libpcap. I was briefly |
| 26 |
confused based on the way they have been integrated into the iptables |
| 27 |
firewall. For what it is worth, my experiences with libpcap port |
| 28 |
knockers has been very favorable. Sorry if that was a bit of a goose chase. |
| 29 |
-- |
| 30 |
gentoo-security@g.o mailing list |
Archives