| >It solves none of your problems Wrong, it solves tons of them. >adds complexity and cost Almost zero complexity and cost. Maybe if you're a bad at sysadmin work it adds cost and complexity. >defense without corresponding increases to attacker costs. It adds a _huge_, almost incalculable cost increase to attackers. >If you believe there are unknown OpenSSH attacks, you can't coherently believe that port knocking is a real defense, since port knocking doesn't do anything to protect the SSH channel that attacks will be carried out in. Looks like you don't understand the concept of 0-days. Several CVEs we're listed elsewhere. I suggest researching 0-day exploits so you understand how port knocking mitigates them. Port knocking mitigates 0-days. >Instead, if you're actually worried about OpenSSH vulnerabilities, you shouldn't be exposing SSH to the public Internet at all. I don't disagree here, VPN is a great solution. Nonetheless, for some shops simple port-knocking on a bastion host solves, a lot of these issues, and removed the complexity that VPNs add. >I'm not super worried about OpenSSH server vulnerabilities, but I would never recommend that teams leave SSH exposed; they should just hide that stuff behind WireGuard. No one is super worried about things like shellshock, heart bleed, etc. until they happen. Port knocking solved a lot of problems, protects you from zero-days, and makes SSH noise a non-issue (huge signal-to-noise gains). Used in production for years. It's fantastic. |