| Rich Kulawiec on 1 Aug 2017 05:50:40 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] SSH Hardening : Request for Best Practices |
On Thu, Jul 27, 2017 at 09:39:55PM -0400, Robert wrote: > On 07/26/2017 06:33 PM, Rich Kulawiec wrote: > > On Wed, Jul 26, 2017 at 12:05:16PM -0400, K.S. Bhaskar wrote: > > I'd rather go back with the approach I outlined elsewhere in this > > thread, I which prevents most of the Internet from attacking your > > ssh instance successfully *even if they compromise both factors of your > > 2FA* because they can't connect. > > Have you looked at port knocking then? If they cannot find it they > cannot break into it. Yes, I'm well aware of port knocking. However, it's not even close to as thorough a solution as the one I described, because it still allows attackers to attempt to connect. So rather than allow random hosts which will *never* initiate a valid connection to try their luck, it's much better to just drop their packets on their floor. Note that this means that even if they figure out the port-knocking sequence, it won't do them any good until they also figure out what hosts they can use it from AND gain access to one or more of those hosts. ---rsk ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug