The real problem is not about password cracking; the real problem is that SSHD is accessible from arbitrary locations around the globe. Why should some random IP have the privilege of scanning for SSHD, seeing that it is accessible, and then be free to try an exploit (perhaps a new 0-day) against it? If you know that you only need to access SSHD from a limited set of IP addresses, then it is easy to write a firewall policy around these addresses, but what if you are on travel? This is where SPA comes in by maintaining a default-drop firewall stance for all SSH communications. Then, by passively sniffing for specially constructed (that is, encrypted and non-replayed) packets on the wire, the default-drop firewall policy is modified to allow an SSH connection. Details can be found in my USENIX ;login: paper "Single Packet Authorization with Fwknop". There are also two chapters in the book about port knocking and SPA.
What's your take on projects such as IPCop and Sentry Firewall?
Providing an easy to use Linux firewall to the masses is important, and I think IPCop goes a long way to accomplishing this. It looks as though development on Sentry Firewall has stopped, but the goal of the project - a bootable Linux CD that turns your system into a ready-made firewall and IDS - is a great concept. It allows anyone to try out a Linux firewall essentially for free on commodity hardware.
The knowledge barrier to deploying security technologies should be made as low as possible, and this means that ease of use is paramount. Also, not everyone is familiar with Linux as a network security technology, so projects like IPCop and Sentry Firewall help to increase exposure of Linux in this scenario. Finally, I wish to add that IPCop also provides a good firewall solution, and it is compatible with psad (discussed extensively in the book).
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.