Re: Port Knocking on openBSD?

[Greg Thomas <getbsd@sbcglobal.net>]

On Feb 7, 2004, at 2:01 PM, Nick Holland wrote:

> Greg Thomas wrote:
>>
>> Scenario:  I need to be able to SSH into a box from anywhere in the 
>> world but not very often, a new exploit of SSH comes out.  What's the 
>> better solution than port knocking to protect yourself from the 
>> exploit?
>
> Same as the answer to "What's the protection if your port knocking
> system has an exploit?"

Aren't layers good?

>
>> Just curious as it's interesting to think this stuff through and I'm 
>> not very knowledgable here.
>
> One idea: have one box you keep "safe" and up to date and able to fix
> quickly.  New SSH exploit comes out, you fix that box first.  Your
> other systems are filtered to only accept ssh traffic from that one
> box (actually, for redundancy purposes, have TWO boxes on totally
> different locations/service providers)
>
> Out at a random location?  ssh into your "hub" machine, then from
> there to the remote system you need to maintain.

Yes, that's a great idea.  But if you're a small shop you may have 
trouble updating that one "safe" box.

Greg