Re: I'm getting attacked
- From: Sir Jackery <roehrig@xxxxxxxxxxxxxx>
- Date: Wed, 28 Feb 2007 09:04:11 -0800
On Sat, 17 Feb 2007, Moe Trin wrote:
On Fri, 16 Feb 2007, in the Usenet newsgroup comp.os.linux.security, in article
<slrnetcve1.753.john@xxxxxxxxxxxxxxxxxx>, John Thompson wrote:
On 2007-02-16, Damian 'legion' Szuberski
<legion@xxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
[Moving SSH server from port 22 to some other port]
One more advice how to obtain security through obscurity?
You can't. Those who advocate security through obscurity are deceiving
themselves.
If some one were to move their SSH server to another port like
[compton ~]$ ls -l | head -300 | tail -1 | awk '{print $5}'
6722
Broken pipe
[compton ~]$
Yeah - that's a nice number - moving it to port 6722 and set it up with an
empty password for a well-known user like 'root' would be "security by
obscurity". Moving the server while retaining the existing authentication
mechanism is a Dawrinesque addition - putting an immense barrier in front
of zombies and skript kiddiez. Moving the server to an obscure port can
be defeated by port scanners (which is why you don't want to move the
server to some other well-known port, and should move it to a port outside
of the normal range scanned by common port scanners - say above port 1100).
But this is no more 'security by obscurity' than changing the user name
from "$USERNAME" to a ten character string you created by piping /dev/random
through /usr/bin/mimencode, or using a ten character "password" string based
on a time(t) function modified by the phase of the moon and the outside air
temperature measured at the weather station in Central Park in New York City
seven days ago.
Servers are normally found on "well known ports" so that they can be found
by programs without jumping through hoops and obtaining local knowledge of
the configuration. However every SSH client - indeed most clients for
most network services can be directed to use a non-standard port. If you
want everyone in the world to be able to find your server, leave it on a
well known port. If you have no reason to allow any but a select few
people to connect, then after you gauge their intelligence, consider
moving the server elsewhere, and show your users the secret technique of
including a server port number in their SSH call.
Security is enhanced by _layers_ of additional features. Kindly stop the
knee-jerk reaction to words, and actually think. It might actually help
your own security.
Old guy
You guys are idiots. Security through obscurity is a great addition to other security methods. Why would you only use one method of securing your systems? That is truly stupid. All of my MOTD's and sigs point to an incorrect operating system, thus hopefully attackers will look for vulnerabilities for an incorrect platform.
--Sir Jackery
Older, wiser guy.
.
- References:
- Re: I'm getting attacked
- From: jsuthan
- Re: I'm getting attacked
- From: Damian 'legion' Szuberski
- Re: I'm getting attacked
- From: John Thompson
- Re: I'm getting attacked
- From: Moe Trin
- Re: I'm getting attacked
- Prev by Date: Re: openswan
- Previous by thread: Re: I'm getting attacked
- Next by thread: Re: I'm getting attacked
- Index(es):
Relevant Pages
|
|
