Hello Kirk,
Is there IPtables based port knocker? 
I dislike idea opening ports for this purpose because they can be distinguished by some way.
Promiscuous mode port knockers consume a lot of processor and
 I don't think it's good for production server.

KH> A port knocker of some sort is a much more secure solution that will
KH> allow you to block all unwanted IP's but still allow for dynamic 
KH> addresses.  There are port knockers that listen on various ports and
KH> work like a combination lock to open the port, and there are others that
KH> use a more secure one time pad "magic packet" kind of authentication to
KH> open the port for your IP.  It is more work to setup, but it is more
KH> secure than just changing the port.  Remember a few years ago when ssh
KH> had a remote exploit?  You probably shouldn't leave that port open.

-- 
Best regards,
 boger                            mailto:boger@...

-- 
gentoo-security@g.o mailing list