1 |
Yes, there are. I use one for my work servers that is iptables based. |
2 |
I don't have any links for you unfortunately but I have seen them. If |
3 |
you are really interested I can probably track down one I saw that used |
4 |
iptables and was a combination style. I also know of an open source |
5 |
"magic packet" style that I could probably find a link for if you were |
6 |
interested. |
7 |
|
8 |
boger said the following: |
9 |
> Hello Kirk, |
10 |
> Is there IPtables based port knocker? |
11 |
> I dislike idea opening ports for this purpose because they can be distinguished by some way. |
12 |
> Promiscuous mode port knockers consume a lot of processor and |
13 |
> I don't think it's good for production server. |
14 |
> |
15 |
> KH> A port knocker of some sort is a much more secure solution that will |
16 |
> KH> allow you to block all unwanted IP's but still allow for dynamic |
17 |
> KH> addresses. There are port knockers that listen on various ports and |
18 |
> KH> work like a combination lock to open the port, and there are others that |
19 |
> KH> use a more secure one time pad "magic packet" kind of authentication to |
20 |
> KH> open the port for your IP. It is more work to setup, but it is more |
21 |
> KH> secure than just changing the port. Remember a few years ago when ssh |
22 |
> KH> had a remote exploit? You probably shouldn't leave that port open. |
23 |
> |
24 |
-- |
25 |
gentoo-security@g.o mailing list |