Re: Port knocking script/server for fedora?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 19 Nov 2014, Patrick O'Callaghan wrote:



On Tue, 2014-11-18 at 21:25 -0600, Bruno Wolff III wrote:

On Wed, Nov 19, 2014 at 01:36:46 +0000,
  Bill Oliver <vendor@xxxxxxxxxxxxx> wrote:


I've been reading a bit about port knocking as a security tool.  It makes pretty good sense for a private box, at least for stuff like ssh and ftp.   Does anybody know of a good tutorial/example/script for fedora for this?


If your threat is password guessing, you can use two factor.
It is easy to require both a password and a public key to connect, with
the public key authentication required before any guessing of the password
can be done.

If your threat is preauthentication attacks versus the service itself, using
a firewall is probably simpler. But you need to be able to restrict the
allowed IPs to some small fraction of the internet. And there may be blind
spoofing attacks that can get through the firewall. Port knocking can
provide some additional coverage, but this adds risk of the port knocking
service having bugs, extra work setting things up, and it isn't going to
stop some potential attackers.


If the main concern is ssh hacking, you might consider denyhosts (yum
install denyhosts). It's easy to set up and seems to be effective. The
logs make fascinating (and scary) reading.

And of course for ftp you *are* using sftp aren't you? In that case
you're covered as well.

poc



Well, to be honest, I don't know of any big specific threats other than
the usual random people from China, Russia, and Korea that seem to attack
everybody.  And there's some guy in France that knocks on my door every
now and then.  I use denyhosts, and it works well, and yeah, I use sftp.

I was just reading about port knocking and thought I'd play with it a bit
to see how much of a hassle it was to use.

billo
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux