Rich Kulawiec on 1 Aug 2017 05:50:40 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SSH Hardening : Request for Best Practices

On Thu, Jul 27, 2017 at 09:39:55PM -0400, Robert wrote:
> On 07/26/2017 06:33 PM, Rich Kulawiec wrote:
> > On Wed, Jul 26, 2017 at 12:05:16PM -0400, K.S. Bhaskar wrote:
> > I'd rather go back with the approach I outlined elsewhere in this
> > thread, I which prevents most of the Internet from attacking your
> > ssh instance successfully *even if they compromise both factors of your
> > 2FA* because they can't connect.
> Have you looked at port knocking then?  If they cannot find it they
> cannot break into it.

Yes, I'm well aware of port knocking.  However, it's not even close to
as thorough a solution as the one I described, because it still allows
attackers to attempt to connect.  So rather than allow random hosts
which will *never* initiate a valid connection to try their luck, it's
much better to just drop their packets on their floor.  Note that this
means that even if they figure out the port-knocking sequence, it won't
do them any good until they also figure out what hosts they can use it
from AND gain access to one or more of those hosts.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --