Michael Rash wrote: > > franck joncourt wrote: > > > In order to prevent such attacks, you can write iptables rules to set up port knocking. This is the way, I do. > > > > I thought about doing this, but I ultimately decided against it. The > > problems of doing the knocking outweighted the benefits. I prefer to let > > them try a few times before my current rules ban them. > > If someone finds a remote exploit in sshd, then just allowing > connections at all can potentially expose you to compromise. As far as True. > port knocking is concerned, I agree, there are a ton of problems. There > is a better alternative called Single Packet Authorization: > > http://www.cipherdyne.org/fwknop/docs/SPA.html > > Fwknop is an implementation that is based around iptables: > > http://www.cipherdyne.org/fwknop/ This still means that all authorized users have to do this which is not what I want to do. What if I'm at someone's house and decide I want in to my system and they don't have any way of performing the port knocking or the fwknop. -- Lab tests show that use of micro$oft causes cancer in lab animals Got Gas???
