Re: Somebody is keep trying to ssh into my systems, how can I stop that?



responder wrote:

You are mistaken if you think your "secure", portknocking protected ssh
connection is immune to intrusion and hijacking. And it would be
irresponsible to be more highly specific here in details. So I won't say
any more than to just simply answer your question.

The challenge/response nature of public key authentication would
mitigate any attempt at a MITM attack on SSH itself. Although, it
_could_ allow an attacker to circumvent port knocking and give them an
open port. I only say 'could', because it is dependednt on the
implementation of the particular port knocking scheme itself, which in
my own opinion; leads to the 'obscurity' of port knocking, which is in
effect, only a password based authentication mechanism, as Ertugrul
touched on earlier. Who also mentioned in the case of buffer overflow
exploits; that these can be mitigated by using grsecurity, PaX, and/or
SELinux.

left_coast wrote:

How many netfilter expoits that can successfully attack CLOSED PORTS have
been reported vs. buffer overflow attacks of an open ssh port???? Go count
them up bub, and let me know the results, I'm sure you'll start to discover
why I believe the way I do.

The object of security is not only to protect against remote priveledge
escalation, but also to protect system stability and usability. Hence
my next point, would be the possibility of DoS attacks against the port
knocking daemon itself, since it has to listen for the port 'knocks';
regardless of the packets having been dropped, it still needs to
process them.

Taking into consideration the above factors, it still comes down to
user preference, and the trade-off between usability and security. For
example; large corporate environments would find port-knocking rather
cumbersome, and would prefer to use an 'out-of-band' administrative
interface.

Cheers, Joel.

.