Ooops, forgot to paste in the link:
http://slashdot.org/article.pl?sid=04/02/05/1834228&mode=thread&tid=126&tid=172
Some good discussions, icluding these gems:
"Knock knock...
Who's there?
Usher.
Usher who?
Usher wish I could SSH to your server!
Sorry... ;)"
and this less silly one:
"It should be noted that this is NOT (necessarily) an example of security through obscurity. One could treat the port-knocking sequence as a "key". Long enough keys could make port-scanning impossible for anyone who doesn't know the key. Real mathematical cryptography is based on a similar principle.
Also, this is only a defense against port-scanning. Even if someone did manage to break the knocking sequence, they would still have to use some kind of exploit against the machine on the port they discovered."
Anthony
From: tickticker <
tickticker@cox.net>
Date: 2004/03/16 Tue PM 03:35:22 EST
To:
plug-discuss@lists.plug.phoenix.az.us
Subject: Re: Port Knocking - An interesting idea
yes, it was on slashdot a couple months ago
anthony
From: Fred Wright <
fawright@earthlink.net>
Date: 2004/03/16 Tue PM 03:09:31 EST
To:
plug-discuss@lists.plug.phoenix.az.us
Subject: Port Knocking - An interesting idea
I first read about this in Bruce Schneier's CRYPTO-GRAM, March 15,
2004. Has anyone else heard/thought about this?
/quote
Port Knocking
Port knocking is a clever new computer security trick. It's a way to
configure a system so that only systems who know the "secret knock" can
access a certain port. For example, you could build a port-knocking
defensive system that would not accept any SSH connections (port 22) unless
it detected connection attempts to closed ports 1026, 1027, 1029, 1034,
1026, 1044, and 1035 in that sequence within five seconds, then listened on
port 22 for a connection within ten seconds. Otherwise, the system would
completely ignore port 22.
It's a clever idea, and one that could easily be built into VPN systems and
the like. Network administrators could create unique knocks for their
networks -- family keys, really -- and only give them to authorized
users. It's no substitute for good access control, but it's a nice
addition. And it's an addition that's invisible to those who don't know
about it.
<
http://www.linuxjournal.com/article.php?sid=6811>
<
http://www.portknocking.org/>
/endquote
--
Fred Wright
fawright-at-earthlink-dot-net
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)