Re: I'm getting attacked

On Fri, 16 Feb 2007, in the Usenet newsgroup comp.os.linux.security, in article
<slrnetcve1.753.john@xxxxxxxxxxxxxxxxxx>, John Thompson wrote:

On 2007-02-16, Damian 'legion' Szuberski
<legion@xxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

[Moving SSH server from port 22 to some other port]

One more advice how to obtain security through obscurity?

You can't. Those who advocate security through obscurity are deceiving
themselves.

If some one were to move their SSH server to another port like

[compton ~]$ ls -l | head -300 | tail -1 | awk '{print $5}'
6722
Broken pipe
[compton ~]$

Yeah - that's a nice number - moving it to port 6722 and set it up with an
empty password for a well-known user like 'root' would be "security by
obscurity". Moving the server while retaining the existing authentication
mechanism is a Dawrinesque addition - putting an immense barrier in front
of zombies and skript kiddiez. Moving the server to an obscure port can
be defeated by port scanners (which is why you don't want to move the
server to some other well-known port, and should move it to a port outside
of the normal range scanned by common port scanners - say above port 1100).
But this is no more 'security by obscurity' than changing the user name
from "$USERNAME" to a ten character string you created by piping /dev/random
through /usr/bin/mimencode, or using a ten character "password" string based
on a time(t) function modified by the phase of the moon and the outside air
temperature measured at the weather station in Central Park in New York City
seven days ago.

Servers are normally found on "well known ports" so that they can be found
by programs without jumping through hoops and obtaining local knowledge of
the configuration. However every SSH client - indeed most clients for
most network services can be directed to use a non-standard port. If you
want everyone in the world to be able to find your server, leave it on a
well known port. If you have no reason to allow any but a select few
people to connect, then after you gauge their intelligence, consider
moving the server elsewhere, and show your users the secret technique of
including a server port number in their SSH call.

Security is enhanced by _layers_ of additional features. Kindly stop the
knee-jerk reaction to words, and actually think. It might actually help
your own security.

Old guy
.

Relevant Pages

  • RE: Some technical errors
    ... If the SMTP server is not running on port 25 TCP it is not a public ... Manager - Computer Assurance Services BDO Chartered Accountants & ...
    (Security-Basics)
  • Re: SRV RRs support in Internet Explorer?
    ... The port number could be implicit (i.e. ... At any point in time, a server could fail ... can't effectively LB or backup because NSs cache the records for the TTL ... I still don't see how SRV records would help backup or LB. ...
    (microsoft.public.win2000.dns)
  • Re: Still cant connect to RWW or OWA remotely
    ... I get 'cannot find server or dns error' on both ... TCP [port number]> to open the ports. ... As for error messages when I fail to access RWW with the laptop, ... network, no connection seems possible. ...
    (microsoft.public.windows.server.sbs)
  • Re: Outlook 2003 client
    ... Items' folder from the Send/Receive group for my account, ... Send/Receive to synchronize Outlook local data with the Exchange Server, ... Port 21 enable external and internal file transfer ... Port 80 enables all nonsecure browser access, ...
    (microsoft.public.windows.server.sbs)
  • RE: SMTPS - Exchange
    ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... If the Exchange server is listening on other port rather ...
    (microsoft.public.windows.server.sbs)