From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 24EA41381F3 for ; Mon, 14 Oct 2013 11:50:35 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E3BA5E0A98; Mon, 14 Oct 2013 11:50:22 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id E56ACE0A61 for ; Mon, 14 Oct 2013 11:50:21 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 1960C335DE5 for ; Mon, 14 Oct 2013 11:50:21 +0000 (UTC) X-Virus-Scanned: by amavisd-new using ClamAV at gentoo.org X-Spam-Flag: NO X-Spam-Score: -1.088 X-Spam-Level: X-Spam-Status: No, score=-1.088 tagged_above=-999 required=5.5 tests=[AWL=-0.550, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.536, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no Received: from smtp.gentoo.org ([IPv6:::ffff:127.0.0.1]) by localhost (smtp.gentoo.org [IPv6:::ffff:127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1AlNxk22LYhG for ; Mon, 14 Oct 2013 11:50:14 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 8E33E33EE6A for ; Mon, 14 Oct 2013 11:50:12 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1VVgf2-0007Qn-Tc for gentoo-user@gentoo.org; Mon, 14 Oct 2013 13:50:08 +0200 Received: from bois.imp.fu-berlin.de ([160.45.40.234]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 14 Oct 2013 13:50:08 +0200 Received: from vaeth by bois.imp.fu-berlin.de with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 14 Oct 2013 13:50:08 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: Martin Vaeth Subject: [gentoo-user] Re: scripted iptables-restore Date: Mon, 14 Oct 2013 11:49:48 +0000 (UTC) Message-ID: References: <524DD388.9020507@fastmail.co.uk> <524F39F6.4040409@orlitzky.com> <525AAADE.7040700@orlitzky.com> <525ACC38.8060008@orlitzky.com> <525B1878.2010908@orlitzky.com> X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: bois.imp.fu-berlin.de User-Agent: slrn/pre1.0.0-26 (Linux) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Archives-Salt: 5b6b2331-d536-4f24-96f4-d88c9b3a29aa X-Archives-Hash: 3a4096f0b97cb227f0ecade13d2a256b Michael Orlitzky wrote: > Port knocking is cute, but imparts no extra security. It does, for instance if you use it to protect sshd and sshd turns out to be vulnerable; remember e.g. the security disaster with Debian. > A better, secure way to achieve the same goal is with OpenVPN. Using yet another service with possible holes to protect a sshd? In this case, I would like port knocking at least for this OpenVPN. > In this case, the absolute worst that could happen is that an attacker > gains access to every open port on your system. While this is bad, it's > not a clever new vulnerability: it's all of the old ones that were > already there. It is exactly the kind of attacks for which one usually uses iptables. You are right, iptables is just one extra step of security, so the worst thing which can happen is that this step is useless. However, if you are willing to risk this only because of your own lazyness in scripting then why do you setup iptables in the first place? > If there are insecure daemons listening on public addresses The problem is that nobody can be sure that some daemon is safe. Even presumably safe services turn out to be victims of new kind of attacks, occassionally.