approval from:
Daniel 
| reply to nwrickert
Re: Is Portknocking "Real" Security? WOW, you guys have the craziest views of reality.
said by nwrickert:Option 1: I publish the sequence of magic port knocks. There goes any added security down the drain. Right, because service scanners always read published info about a target. It's the nmap option of --check-for-published-portknocker-data
said by nwrickert:Option 2: I build a client that knows the sequence of magic port knocks. That's tantamount to publishing, so see option 1. Absolutely, because most scanners download specific client software for every host they scan. It's the --download-special-ssh-client-and-extract-portknocking-sequence flag to nmap.
said by nwrickert:Option 3: I have to manually weave my way through this maze every time I need to use SSH. There goes my security. I have made it too inconvenient to push security updates to each of the servers. So I don't update them. The security risk of this is greater than the imagined risk of a possible zero-day ssh exploit showing up. Also, I probably stop monitoring my servers from home, because I have made it too inconvenient to login to them. The loss of monitoring is another increased security risk. You think that's bad, have you seen the whole PKI authentication model?? They actually expect you to always have a file present on a system in order to log into others. Man, what a hassle. Those systems must not've been patched in years.
said by nwrickert:And that of course is part of the "KEY" Daniel can not understand..unattended access..additional third party apps installed insdie to make it all happen..and you trust the code to work as advertised...Then you force the rest of your security to allow it to happen. SSH on *any* system is third party. Since you haven't audited or written your operating system, you trust that *all* of your software works as advertised.
Face it gents, it's a real security layer. Every security layer can be defeated, it's just a matter of how hard it is or how long it takes. |
