gilles at gravier.org
Sun Jan 18 10:12:13 UTC 2009
Steve Lamb wrote:
> Knapp wrote:
>> No sure what you are typing to say. We are talking about ssh because we
>> need it. Sure don't run what you don't need.
> So am I. Knockd allows you to close off 22 to everyone, only open it up
> to select IPs, and here's the catch, the entire world for a limited amount of
> time *if needed*.
> It is a port knocking daemon. To get 22 to even respond you have to hit a
> sequence of inactive ports within a limited time frame. When knockd sees that
> sequence it injects an iptables rule which allows everyone into 22 for... 10
> seconds. Then it closes it back down.
> So you need ssh, great! Do you need it to be accessible from the entire
> planet 100% of the time? If so, then this doesn't apply. But most of us here
> don't run machines on which we run a business that grants shell access. That
> means we can close down SSH to everyone, open it up to select few IPs (mine is
> open to 2) and then have knockd as the backup to grant access to the world for
> 10 seconds so we can get in for the rare few times we need to when not at the
> known IPs.
> All of that is before you even get to the password level and trivial to
> set up.
Why not just use digital certificates? Easy to manage, revoke, and no
password to read over the shoulder...
No reason to not let SSH port 22 open if the security behind it is good.
By using knockd, you are adding an additional layer which isn't strictly
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ubuntu-users