Re: Need urgent help regarding security
From: Roger Marquis (marquis_at_roble.com)
Date: 11/22/05
- Previous message: Andriy Gapon: "Re: mount -u -r drops nosuid ?"
- Maybe in reply to: Mark Jayson Alvarez: "Need urgent help regarding security"
- Next in thread: Marian Hettwer: "Re: Need urgent help regarding security"
- Reply: Marian Hettwer: "Re: Need urgent help regarding security"
- Reply: Arne : "Re: Need urgent help regarding security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 22 Nov 2005 10:26:58 -0800 (PST) To: freebsd-security@freebsd.org
ray@redshift.com wrote:
>The point isn't to get more secure. You are correct by saying that
>moving the port # doesn't make anything more secure.
Actually the point _is_ security and changing the port number _does_
improve it significantly though only from one popular attack vector.
Security by obscurity _does_ work and often very well just not in
place of more substantive measures. In the case of sshd dictionary
attacks those would be:
1) setting "MaxAuthTries 2", "Banner /etc/issue" and
"PermitRootLogin no" in /etc/ssh/sshd_config,
2) running an sshd IDS that A) tests for '(for invalid user|Failed
password for)', B) blacholes source hosts 'ipfw add deny ...', and
C) alerts sysadmin or operations personnel,
3) making sure SSL and SSH are up to date (preferably via ports),
4) deleting the rc script, adding sshd to /etc/inetd.conf, and
taking advantage of the rate controls, logging, and other excellent
security features of FreeBSD's inetd.
Hosts that don't have at least these 4 protections in place will
reduce their exposure by moving sshd to a port other than 22. Hosts
that do implement these protections will still benefit from changing
the port but can lose some excellent logging. If possible keep the
logs and either send them to the offending ISP or add to a local
list of long-term blackholes.
Obscurity is an important and wholly necessary part of the security
toolkit. Take passwords for example. Defining a non-dictionary
password is security by obscurity. It is, however, weak protection
if you do not also log dictionary attacks and blackhole offenders
before they can try many username/password pairs. ATM PINs are even
weaker than passwords but are nevertheless adequate protection
thanks to the fact that ~3 failed passwords will cause the account
to be locked.
Bruce Schneier looks at more areas on where security by obscurity
works and where it doesn't in the May 2002 CRYPTO-GRAM
<http://archives.neohapsis.com/archives/crypto/2002-q2/0005.html>.
-- Roger Marquis Roble Systems Consulting http://www.roble.com/ _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Andriy Gapon: "Re: mount -u -r drops nosuid ?"
- Maybe in reply to: Mark Jayson Alvarez: "Need urgent help regarding security"
- Next in thread: Marian Hettwer: "Re: Need urgent help regarding security"
- Reply: Marian Hettwer: "Re: Need urgent help regarding security"
- Reply: Arne : "Re: Need urgent help regarding security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
