[Melbourne-pm] Knockd for Web
Sam Watkins
sam at nipl.net
Tue Jun 2 06:24:16 PDT 2009
On Mon, Jun 01, 2009 at 10:03:38PM -0500, scottp at dd.com.au wrote:
> http://special.host/1137
> http://special.host/1199
> http://special.hsot/4922
I don't really like the idea of port knocking because anyone who can
snoop your network can easily discover what ports or urls you are using.
That includes ISPs at both ends and some inbetween, intelligence
agencies, colleagues at work, anyone on the same LAN segment, etc.
Scott maybe you could do your idea over https? but an https server is
heavy machinery.
I would much rather "knock" by connecting with ssh or https first and
then typing my extra codes there if necessary. I have a patch for sshd
on my website which implements "exponential backoff" to prevent
brute-force attacks. You could also protect it using fail2ban +
iptables.
People at your ISPs could still pretend to be you after you have knocked
by spoofing IP addresses, so it's important of course to use crypto
after that too.
I guess the advantage of knockd is that you can easily "knock" with a
web browser or telnet or whatever you don't need a special client which
does crypto. (but ssh/putty is very portable, and you'll most likely be
needing it anyway)
Sam
More information about the Melbourne-pm
mailing list