Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Single Packet Auth, Port Knocking…

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 3 Posters 3.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sensimilla
      last edited by

      Hi.

      I'm wishing to use Single Packet Encrypted port knocking to open a port for 30 seconds for
      connections (ssh).

      I know I can do this with a dedicated Debian machine, can I acomplish this with PFSense somehow?

      I am not familiar enough with BSD, only Linux.

      Thank you.
      Sens.

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        This is not possible.
        Obscuration is no security.

        Search the forum since it has been discussed before why this is a bad idea.

        Edit: It's not possible through the GUI.
        As cry havok wrote: you can install whatever you could install on a normal FreeBSD.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • S
          Sensimilla
          last edited by

          Thank you, I have searched the forums but I couldn't
          find a suitible explanation why an encrypted single packet in
          addition to a suitible password for an SSH daemon would
          'not' be a good idea.

          Would you please reference?

          Also, is it 'not' possible because one cannot add programs to the pfsense
          default install ?

          Thank you.

          1 Reply Last reply Reply Quote 0
          • Cry HavokC
            Cry Havok
            last edited by

            As you'd know if you looked at the basic description of pfSense, you can add programs to pfSense.  You can install any existing FreeBSD package for the underlying version of FreeBSD that the version of pfSense you have uses.  There only one I can see in the ports tree that looks viable (ie not vulnerable to replay attacks) is fwknop.

            Also, you should use only keys for publicly accessible SSH daemons (whether or not you're trying to hide them by port knocking).  That way you remove the ability for anybody to brute force a password if/when your port knocking daemon fails ;)

            I'd also disagree slightly with GruensFroeschli - by itself obscurity is not security.  However when used in conjunction with "real" security it can (but does not always) improve security.  In this case while port knocking reduces the risk of the SSH daemon being exploited in some way, it adds another daemon that may have vulnerabilities.  That risk may be worthwhile, it may not be.

            1 Reply Last reply Reply Quote 0
            • GruensFroeschliG
              GruensFroeschli
              last edited by

              I was referring to the threads you find with the search function with the keyword "port knocking".
              Like this one: http://forum.pfsense.org/index.php/topic,4168.30.html

              I agree with everything you said Cry Havok.
              Of course you always have to look at the whole picture.
              I was more generally speaking that port knocking alone is not secure.

              We do what we must, because we can.

              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

              1 Reply Last reply Reply Quote 0
              • S
                Sensimilla
                last edited by

                Thank you both for your comments and direction,

                I am facing a lot to consider in evaluating the benifits of using BSD vs. a linux pre configured linux firewall/router system or a dedicated Debian box.

                Although I've already downloaded, read the faqs and installed previous versions of PFsense,
                I'm still having a difficult time acessing the merits of PfSense (other than a higher history of security),
                in comparing it to a devoted Debian box or another linux pre configured firewall/router solution.

                Sens

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.