On Tue, 2014-11-18 at 21:25 -0600, Bruno Wolff III wrote: > On Wed, Nov 19, 2014 at 01:36:46 +0000, > Bill Oliver <vendor@xxxxxxxxxxxxx> wrote: > > > >I've been reading a bit about port knocking as a security tool. It makes pretty good sense for a private box, at least for stuff like ssh and ftp. Does anybody know of a good tutorial/example/script for fedora for this? > > If your threat is password guessing, you can use two factor. > It is easy to require both a password and a public key to connect, with > the public key authentication required before any guessing of the password > can be done. > > If your threat is preauthentication attacks versus the service itself, using > a firewall is probably simpler. But you need to be able to restrict the > allowed IPs to some small fraction of the internet. And there may be blind > spoofing attacks that can get through the firewall. Port knocking can > provide some additional coverage, but this adds risk of the port knocking > service having bugs, extra work setting things up, and it isn't going to > stop some potential attackers. If the main concern is ssh hacking, you might consider denyhosts (yum install denyhosts). It's easy to set up and seems to be effective. The logs make fascinating (and scary) reading. And of course for ftp you *are* using sftp aren't you? In that case you're covered as well. poc -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
