Re: idea for improving security
On Tue May 06, 2003 at 01:0724PM -0500, Mark Edgington wrote:
> Hi,
> I'm not sure whether this idea has been considered or implemented
> anywhere, but I have been thinking about it, and believe it would provide a
> fairly high-level of security for systems which only run a few public
> services. The gist of it is this:
> incorporate functionality into inetd/xinetd/rinetd which listens for a
> predefined sequence of connection attempts on certain ports. Upon noticing
> the correct sequence (as specified somewhere in the config file), it opens
> up certain ports (i.e. SSH) for a specified amount of time or for the next
> connection attempt only.
I remember discussing this topic a while ago in a german usenet group. I
didn't reread the posts now, but all I remember is that it all resulted
in "rubbish", for a few reasons:
-You're using port connects as a means of password, and this password is
usually unencrypted, thus can be watched by anyone on the net
-it's security by obscurity, and that usually doesn't work
-you're getting a new component in the user authentifcation, that just
adds complexity without a real gain in security
I think the main goal should be to have only secure services on a
server, and not to disguise unsecure ones in an obscure way. If you
think SSH (or any other component) is not trustworthy, just look for
alternatives (or create them yourself).
--
Michael Bergbauer <michael@noname.franken.de>
use your idle CPU cycles - See http://www.distributed.net for details.
Visit our mud Geas at geas.franken.de Port 3333
Reply to: