1 |
Michael Orlitzky <michael@××××××××.com> wrote: |
2 |
> Port knocking is cute, but imparts no extra security. |
3 |
|
4 |
It does, for instance if you use it to protect sshd and |
5 |
sshd turns out to be vulnerable; remember e.g. the |
6 |
security disaster with Debian. |
7 |
|
8 |
> A better, secure way to achieve the same goal is with OpenVPN. |
9 |
|
10 |
Using yet another service with possible holes to protect a sshd? |
11 |
In this case, I would like port knocking at least for this OpenVPN. |
12 |
|
13 |
> In this case, the absolute worst that could happen is that an attacker |
14 |
> gains access to every open port on your system. While this is bad, it's |
15 |
> not a clever new vulnerability: it's all of the old ones that were |
16 |
> already there. |
17 |
|
18 |
It is exactly the kind of attacks for which one usually uses iptables. |
19 |
You are right, iptables is just one extra step of security, so the |
20 |
worst thing which can happen is that this step is useless. |
21 |
However, if you are willing to risk this only because of your own |
22 |
lazyness in scripting then why do you setup iptables in the first place? |
23 |
|
24 |
> If there are insecure daemons listening on public addresses |
25 |
|
26 |
The problem is that nobody can be sure that some daemon is safe. |
27 |
Even presumably safe services turn out to be victims of new kind |
28 |
of attacks, occassionally. |