Re: Port Knocking on openBSD?

["Dom De Vitto" <dom@DeVitto.com>]

Key point Henning realised, we didn't.

Layers are good, but the portknocking is an inner layer:
- is it priv-sep'd ? No (I'm guessing), so an exploit *could* give root. 

Which makes it more likely for bugs to be worth exploiting.
At least with SSH you've a limited amount of code which can be wrong
and give root.

Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto                                       Tel. 07855 805 271
http://www.devitto.com                         mailto:dom@devitto.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Where do you want to go today?  Same as every day.... Windows Update.
-----Original Message-----
From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org] On Behalf Of
Greg Thomas
Sent: Sunday, February 08, 2004 12:45 AM
To: misc@openbsd.org
Subject: Re: Port Knocking on openBSD?

On Feb 7, 2004, at 2:01 PM, Nick Holland wrote:

> Greg Thomas wrote:
>>
>> Scenario:  I need to be able to SSH into a box from anywhere in the 
>> world but not very often, a new exploit of SSH comes out.  What's the 
>> better solution than port knocking to protect yourself from the 
>> exploit?
>
> Same as the answer to "What's the protection if your port knocking 
> system has an exploit?"

Aren't layers good?

>
>> Just curious as it's interesting to think this stuff through and I'm 
>> not very knowledgable here.
>
> One idea: have one box you keep "safe" and up to date and able to fix 
> quickly.  New SSH exploit comes out, you fix that box first.  Your 
> other systems are filtered to only accept ssh traffic from that one 
> box (actually, for redundancy purposes, have TWO boxes on totally 
> different locations/service providers)
>
> Out at a random location?  ssh into your "hub" machine, then from 
> there to the remote system you need to maintain.

Yes, that's a great idea.  But if you're a small shop you may have trouble
updating that one "safe" box.

Greg