Hi, On Wed Jul 09, 2003 at 23:16:51 +0200, François TOURDE wrote: > > By allowing connections from only a > > few IP address blocks, you cut out most of the crackers in the world, but > > don't have to mess with dynamic DNS and lack of reverse lookup; A good > > tradeoff between security and convenience. > > Even with fake/forged IP's ?
SSH is TCP-based. IP spoofing on the internet is very hard to do. > You can also imagine a knoking (? toc toc toc) mechanism: One ping, > followed by two telnet packets, then 4 ftp or whatever packets, and > then your ip is allowed to try a ssh connection... This is security by obscurity. Approaches like this have been discussed on this list before. It is the somewhat convoluted equivalent of a plaintext password authentication scheme layered on top of SSH. Regards, uLI
