| 1 |
Michael Orlitzky <michael@××××××××.com> wrote: |
| 2 |
> Port knocking is cute, but imparts no extra security. |
| 3 |
|
| 4 |
It does, for instance if you use it to protect sshd and |
| 5 |
sshd turns out to be vulnerable; remember e.g. the |
| 6 |
security disaster with Debian. |
| 7 |
|
| 8 |
> A better, secure way to achieve the same goal is with OpenVPN. |
| 9 |
|
| 10 |
Using yet another service with possible holes to protect a sshd? |
| 11 |
In this case, I would like port knocking at least for this OpenVPN. |
| 12 |
|
| 13 |
> In this case, the absolute worst that could happen is that an attacker |
| 14 |
> gains access to every open port on your system. While this is bad, it's |
| 15 |
> not a clever new vulnerability: it's all of the old ones that were |
| 16 |
> already there. |
| 17 |
|
| 18 |
It is exactly the kind of attacks for which one usually uses iptables. |
| 19 |
You are right, iptables is just one extra step of security, so the |
| 20 |
worst thing which can happen is that this step is useless. |
| 21 |
However, if you are willing to risk this only because of your own |
| 22 |
lazyness in scripting then why do you setup iptables in the first place? |
| 23 |
|
| 24 |
> If there are insecure daemons listening on public addresses |
| 25 |
|
| 26 |
The problem is that nobody can be sure that some daemon is safe. |
| 27 |
Even presumably safe services turn out to be victims of new kind |
| 28 |
of attacks, occassionally. |
Archives