Single Packet Auth, Port Knocking…



  • Hi.

    I'm wishing to use Single Packet Encrypted port knocking to open a port for 30 seconds for
    connections (ssh).

    I know I can do this with a dedicated Debian machine, can I acomplish this with PFSense somehow?

    I am not familiar enough with BSD, only Linux.

    Thank you.
    Sens.



  • This is not possible.
    Obscuration is no security.

    Search the forum since it has been discussed before why this is a bad idea.

    Edit: It's not possible through the GUI.
    As cry havok wrote: you can install whatever you could install on a normal FreeBSD.



  • Thank you, I have searched the forums but I couldn't
    find a suitible explanation why an encrypted single packet in
    addition to a suitible password for an SSH daemon would
    'not' be a good idea.

    Would you please reference?

    Also, is it 'not' possible because one cannot add programs to the pfsense
    default install ?

    Thank you.



  • As you'd know if you looked at the basic description of pfSense, you can add programs to pfSense.  You can install any existing FreeBSD package for the underlying version of FreeBSD that the version of pfSense you have uses.  There only one I can see in the ports tree that looks viable (ie not vulnerable to replay attacks) is fwknop.

    Also, you should use only keys for publicly accessible SSH daemons (whether or not you're trying to hide them by port knocking).  That way you remove the ability for anybody to brute force a password if/when your port knocking daemon fails ;)

    I'd also disagree slightly with GruensFroeschli - by itself obscurity is not security.  However when used in conjunction with "real" security it can (but does not always) improve security.  In this case while port knocking reduces the risk of the SSH daemon being exploited in some way, it adds another daemon that may have vulnerabilities.  That risk may be worthwhile, it may not be.



  • I was referring to the threads you find with the search function with the keyword "port knocking".
    Like this one: http://forum.pfsense.org/index.php/topic,4168.30.html

    I agree with everything you said Cry Havok.
    Of course you always have to look at the whole picture.
    I was more generally speaking that port knocking alone is not secure.



  • Thank you both for your comments and direction,

    I am facing a lot to consider in evaluating the benifits of using BSD vs. a linux pre configured linux firewall/router system or a dedicated Debian box.

    Although I've already downloaded, read the faqs and installed previous versions of PFsense,
    I'm still having a difficult time acessing the merits of PfSense (other than a higher history of security),
    in comparing it to a devoted Debian box or another linux pre configured firewall/router solution.

    Sens


Locked