On Feb 01, 2007, Wakko Warner wrote: > franck joncourt wrote: > > In order to prevent such attacks, you can write iptables rules to set up port knocking. This is the way, I do. > > I thought about doing this, but I ultimately decided against it. The > problems of doing the knocking outweighted the benefits. I prefer to let > them try a few times before my current rules ban them. If someone finds a remote exploit in sshd, then just allowing connections at all can potentially expose you to compromise. As far as port knocking is concerned, I agree, there are a ton of problems. There is a better alternative called Single Packet Authorization: http://www.cipherdyne.org/fwknop/docs/SPA.html Fwknop is an implementation that is based around iptables: http://www.cipherdyne.org/fwknop/ -- Michael Rash http://www.cipherdyne.org/ Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
