I wouldn't focus on "security" when it comes to port-knocking.
There are benefits beyond security: for example, less strange login attempts mean less clutter in your logs. If you're actually trying to investigate login attempts (don't!), it means less time wasted.
The "security by obscurity" screaming people are usually thinking too narrowly, in my opinion.
In discussions of port knocking and SPA among my security friends, it always comes down to this argument: cleaning up the logs. Why not just alter the way SSH logs? Perhaps it can just log once every couple of minutes, "yes, people are still probing this server".
Running sshd on port 22, seeing repeated authentication failures in the logs. conclusion: business as usual for sitting on the internet. signal to noise ratio: almost 0.
Running sshd on port $RANDOM, seeing ANY authentication failures in the logs. conclusion: someone is specifically targeting me or my network, I might want to pay some attention to this. signal to noise ratio: 1.
Running on a random port isn't the same as using port knocking; if you're on a random port you'll get hit anyway (I think it falls under 'business as usual for sitting on the Internet'). Port knocking & single-packet authorisation, though, do provide some protection: if you get a failed login attempt via PK/SPA-protected SSH, then you know you're targeted (and also, your PK/SPA key is bad).
They actually do, just somewhat later than targeted ones. No need to scan whole of internet either, just subnets you haven't violated already. Or use DNS for major targets.
I've allegedly been involved in operating some of the largest *nix botnets ever, and certainly haven't seen anyone do that.
Scanning every single port on /0 simply takes way too much time even with millions of nodes, you're much better off improving your coverage over the common ports and catching new (and old) equipment coming online.
Of course, this wouldn't necessarily be true with the "preauth opensshd 0day" brought up in TFA. Such an exploit would certainly give you more than enough BW to do whatever you want, and break the internet while doing it.
> if you're on a random port you'll get hit anyway
Nope. At least, not frequently enough to make a lucky guess more likely than a concerted attempt. Not one auth attempt since I switched the SSH port, and this is for a public-facing website, too.
There are benefits beyond security: for example, less strange login attempts mean less clutter in your logs. If you're actually trying to investigate login attempts (don't!), it means less time wasted.
The "security by obscurity" screaming people are usually thinking too narrowly, in my opinion.
reply