[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Port Knocking on openBSD?

To: "Misc @OpenBSD" <misc@openbsd.org>
Subject: Re: Port Knocking on openBSD?
From: Nick Holland <nick@holland-consulting.net>
Date: Sat, 07 Feb 2004 17:01:01 -0500
References: <20040206175309.69713.qmail@web80303.mail.yahoo.com>

Greg Thomas wrote:
> 
> Scenario:  I need to be able to SSH into a box from anywhere in the world but not very often, a new exploit of SSH comes out.  What's the better solution than port knocking to protect yourself from the exploit?

Same as the answer to "What's the protection if your port knocking
system has an exploit?"

> Just curious as it's interesting to think this stuff through and I'm not very knowledgable here.

One idea: have one box you keep "safe" and up to date and able to fix
quickly.  New SSH exploit comes out, you fix that box first.  Your
other systems are filtered to only accept ssh traffic from that one
box (actually, for redundancy purposes, have TWO boxes on totally
different locations/service providers)

Out at a random location?  ssh into your "hub" machine, then from
there to the remote system you need to maintain.

Nick.
--
http://www.holland-consulting.net

Follow-Ups:
- Re: Port Knocking on openBSD?
  - From: Henning Brauer <lists-openbsd@bsws.de>
- Re: Port Knocking on openBSD?
  - From: Greg Thomas <getbsd@sbcglobal.net>

References:
- Re: Port Knocking on openBSD?
  - From: Greg Thomas <getbsd@sbcglobal.net>

Prev by Date: Re: setting a list of kernels to try in boot.conf
Next by Date: Re: openbsd pen drive
Prev by thread: Re: Port Knocking on openBSD?
Next by thread: Re: Port Knocking on openBSD?
Index(es):
- Date
- Thread