[clug] mc-root anyone?

Fri Jun 19 10:57:22 GMT 2009

On Fri, Jun 19, 2009 at 6:19 PM, Kim Holburn<kim at holburn.net> wrote:
> I've used ipt_recent and there are probably userland targets or you can use
> scripts.

ipt_recent simply limits frequently connecting hosts. If there is a
vuln in SSH you only need a single connection to be done over.

> But all that action happens in the clear and is interruptible and duplicable
> by a listener ie an MITM attack.

Indeed - but for an attacker to see the knock sequence they need to be
in the path of communication to intercept it - not entirely impossible
but certainly beyond the reach of most russian hackers.  This is why
its a medium level of security for a front line defence mechanism.

> And it's been thought through and tested for security by experts.

Indeed - but it is still a complex protocol. You do recall the whole
openssl key fiasco a couple of months ago. Because my servers were
behind port knocks they were immune from opportunistic zero day
attacks until I can patch them. Security is a process - nothing is
full proof. Port knocks are an additional, easy to implement, security
layer and they can only add to the overall security by raising the bar
for an attacker to even launch an attack. The overall trade off is
very favourable - its only slightly inconvenient for users.

> It might make you feel more secure.
>
> Take out passwords and use RSA keys, it's built-in to ssh.  It can't be
> attacked like passwords and it's "very" secure, to quite large values of
> "very".

Yep - no problem with that. Except when keys arent quite random, or
buffers are too small or some other unforeseen problems occur.

> It's also easy to break a well constructed security system by adding stuff
> the original authors never thought you would and it's happened with ssh
> several times.  The startup protocols are critical to setting up ssh
> securely.  Be careful.

Yep - knocking has nothing to do with ssh - it simply adds iptable
rules to allow a single connection.  The subsequent ssh connection is
not interfered with in any way. Although, you are kind of making the
assumption that the ip address the knocks come from is the same as the
address the ssh connection come from (might be wrong if you are behind
a NAT that uses a pool of addresses) so its not perfect.

I believe that knocking is best practice and always set my servers
like that. I have not come across many other admins that do - maybe im
more paranoid about it.

Michael.