Re: dodging SSH-bullets?

From: Luke Vogel (LukeVogel_at_not_a_real_address.net)
Date: 01/10/04 

Date: Sat, 10 Jan 2004 11:47:11 GMT

"Skylar Thompson" <skylar@os2.dhs.org> wrote in message
news:slrnbvufoq.ju1.skylar@bagend.os2.dhs.org...

> None, unless you can convince your SSH server not to look like an SSH
> server. telnet to your SSH server port and you'll see what I mean.
Even if
> you disable the banner, it still has to respond to SSH commands, which
is
> going to be a dead giveaway to what it really is.

Yep, your 100% correct here....

But bear in mind the practices of 99.9% of hackers (read skript
kiddies).
1. The vast majority scan for a few ports (usually know to be
associated with vulnerable daemons) over a reasonably large range of ip
addresses. This means that the likelihood of them locating an open port
over 1024 on any host is reasonably small.
2. The popular port scanners that hackers use also create a log file
with ip/port/banner strings. This log is then easily processed by
hacking tools to automate the attacks on hosts that meet the required
signature (specific banner strings , version numbers etc). This means
that an unusual banner will in all likelihood be bypassed.

Given that 1 and 2 above make the likelihood of identifying and then
attacking a host extremely minimal, only an extreme concerted effort by
a specific attacker would then identify your ssh daemon (and could
easily be thwarted by DROP rules on your firewall given that you've
identified the purp by now). ... and even then, considering you always
keep your servers up-2-date, the probability of a compromise is
infinitesimal.

I've been reading up a little bit on "knock first" port opening and
there are a number of techniques that can be employed to make ports
invisible until specifically crafted packets are received and
authenticated.

All of this lovely science makes security a lot of fun! 

-- 
Regards
Luke
------
Q:  What does FAQ stand for?
A:  We are Frequently Asked this Question, and we have no idea.
------

Relevant Pages

  • Re: ipfw and nmap
    ... > even be correct but I have a bsd box that is simply providing me SSH ... add allow tcp from any to me 22 setup in via fxp0 keep-state ... Note too that there is nothing to prevent port scanners simply setting ... the 'SYN' flag in the probe packets they send to your server. ...
    (freebsd-questions)
  • Re: Remote Desktop directly to another computer on the network
    ... default port... ... And there is no reason for me to believe that ssh ... When I have a multibillion company I will use the key pair, ... WinSCP for that to access my home SSH server. ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: need help for setting SSH Server for Windows XP
    ... In my windows firewall proper ports are opened. ... Changing from port 22 to ports 80, 443 also doesn't give any results. ... static LAN IP of the server PC. ... It is *NOT* a valid test to call the SSH server PC from another ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: Port Forwarding -- Checking to be sure I understand it
    ... They run an ssh ... server and VNC service. ... If you want to run the tunnel over some port other than 22 (the ... restrictive firewalls that deny all incoming connections and block most ...
    (comp.security.ssh)
  • Re: Which shell / terminaltype for SSH Tectia for Windows?
    ... My remote Windows2003 server runs SSH Tectia 4.05 Server. ... That's the SMTP port, for email, not the port for SSH. ... the output from vim is not shown to me, ...
    (comp.security.ssh)