[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf port knocking



My heartfelt thanks for all the assistance there. ffs, you speak like
some sort of lord who cannot be bothered assisting the peasants. I get
an inkling you eminate for from such lofty heights. Now, I admit I am
not on the main bsd list (even if I was, I don't have time to even skim
the headers from all the postings it gets) but I have been on the pf
list for about 6 months and thought this was a relevant topic for
discussion. 
Now, I don't think port knocking the latest fad (how it would add to
liability is beyond me). Rather, I think it a relevant security
implementation for my situation. From the sounds, we will be getting a
large number of external contractors, many of whom will be travelling,
so this seemed a good fit. Surely you would agree that if a service
appears closed, that provides increased security. Additionally, it
seems pretty straight forward to implement (even to me who hasn't
programmed in about 2 years); so a time vs reward analysis stacks up. I
don't see the problem; a simple addition to give additional security.
Simply changing the ssh port isn't good enough. Source IP filtering
won't cut the mustard as I don't know which IPs people will get when
they are using global roaming dial-up services. So, where does that
leave me? Either just leave it as is, add a VPN (that I would still
like to appear closed) or implement some system to hide the port. Now,
leaving it as is will probably be absolutely fine provided the service
is kept up to date. Installing a VPN is planned. Adding this extra
layer of port security seems prudent and cost effective.
So, yeah, whatever, it seems I will go it alone.
Cheers
Andrew
 --- jared r r spiegel <[email protected]> wrote: 
> On Fri, Dec 17, 2004 at 06:05:39PM -0500, Roy Morris wrote:
> 
> > If you want to knock off most of the port pounding twits, stop
> allowing
> > ssh from 'any', filter instead by source. If you can't do that,
> because you 
> > MUST have access from your remote laptop, then maybe try using a
> ssh 
> > rule that says use OS type =my remote OS. 
> 
>   that would probably work for most intents and purposes, but i
>   know the pf.conf(5) specifically cautions against using OS
> fingerprints
>   for security enforcement.  it suggests they're for policy 
>   implementation at best.
> 
>   rather than allowing for your laptop like that, i'd probably 
>   go the route of starting a second sshd listening on whatever
>   port ( where reserved is likely better than not ) for the 
>   purposes of authpf(8) to allow a hole into tcp:22.
> 
>   jared
> 
> -- 
> 
> [ openbsd 3.6 GENERIC ( nov 4 ) // i386 ]
>  
Find local movie times and trailers on Yahoo! Movies.
http://au.movies.yahoo.com