[xorcist]

> Port-knocking is supposed to be a way to reduce attack surface.

No, it's a bet that your port knocking tool has less (or better tested) attack surface than OpenSSH.

OpenSSH is pretty thoroughly tested by now, and the pre-auth parts runs with very little privileges.

The specific port knocking tool linked to above seems to expose very little, but there's still some logging going on that wouldn't happen otherwise and the potential for logic bugs in the python stuff. It's not an obvious bet to take.

[sig-reduction]

Tx for the insight.

Does the extra logging carry a risk over and above dos (which is mitigated by the `-m limit` stuff in the iptables rules)?

[xorcist]

Not much of an insight perhaps, just an observation. Risks are notoriously hard to quantify.

But where there's an attack surface there is a risk. There's logging and parsing of logs going on here.

Does that translate to practical risk, in the sense that your system will get owned in this way? Personally I wouldn't consider it very likely. A Linux box won't get popped via a plain open openssh but likely not via this python log parser either. It's still not a bet I would take.

There's so much going on in a network stack that I would look for bugs there before the same in pre-auth openssh but one does not know for certain until after the fact.