top | item 24446333

(no title)

ThA0x2 | 5 years ago

>But SSH is a terrible example, because the cost to the defender of simply not having SSH vulnerabilities is the same, or even less, than the cost of obfuscating it with nonstandard ports, "port knocking", or fail2ban, which are all silly ideas.

This just shows how ignorant you (and most) are on the topic of port knocking.

SPA port knocking is cryptographically secure and does not suffer from replay attacks.

Similarly, it defends you against 0-day hacks, and greatly increases your signal-to-noise ratio. With port knocking, ANY failed attempt is super suspicious. Before you'd get hundreds of attempts a day.

discuss

dang|5 years ago

No personal attacks in HN comments, please.

https://news.ycombinator.com/newsguidelines.html

cthalupa|5 years ago

>This just shows how ignorant you (and most) are on the topic of port knocking.

You, uh, do know who you're replying to, right? https://sockpuppet.org/me/ if not - I don't mention this to go "lol he must be right because of who he is", but calling a well respected security researcher with plenty of real world street cred ignorant is a bit much.

>SPA port knocking is cryptographically secure and does not suffer from replay attacks.

SPA port knocking doesn't suffer from passive replay attacks, but it does suffer from block and replay attacks. An active MITM can still get you.

His suggestion hasn't been "if you care about security just don't do port knocking", his suggestion has been "if you care about security just throw up a VPN it'll be more secure and just as much work"

ThA0x2|5 years ago

[deleted]