MAC addresses

Darren Kirby bulliver at badcomputer.no-ip.com
Mon Sep 13 01:09:02 CEST 2004


quoth the Chris Brenton:
>
> A VPN is probably overkill as SSH is already a VPN (strong built in
> authentication and encryption. Heck, I'll take Blowfish over 3DES or AES
> for privacy any day of the week :). Two other options come to mind:
>
> 1) Bind SSH to a non-standard port
> Yes someone doing a full port scan can still find it, blah, blah, blah.
> I've been running this for years and have yet to receive a single
> non-authorized connect to the port that has actually performed an SSH
> handshake.
>
> 2) Setup port knocking
> http://www.linuxjournal.com/article.php?sid=6811
> I know a few people that have set this up with great success. Sure its
> vulnerable to replay, but since we're talking SSH that's not really a
> problem. Great way to expose ports to only certain users.
>
> So with either option you still want to use public/private keys or
> strong passwords with SSH. They are designed to simply mask the service
> from all the SSH scanning that's running around the Internet.
>
> HTH,
> Chris

Port knocking is some serious black magic. This is very interesting, and seems 
to be ideal for me, because I only need this access for short periods (1-2 
weeks) a couple times a year.

Thanks very much for the tip,
-d

-- 
Part of the problem since 1976
http://badcomputer.no-ip.com
Get my public key from 
http://keyserver.linux.it/pks/lookup?op=index&search=bulliver
"...the number of UNIX installations has grown to 10, with more expected..."
- Dennis Ritchie and Ken Thompson, June 1972 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/netfilter/attachments/20040912/ff5a09c3/attachment.bin


More information about the netfilter mailing list