|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: sniffer/promisc detector
> > Uhm, that would be wrong. This is simply "security through obscurity". Yes, it is wrong for the _smart books_. But it works in real life. Of course, it should not be the last line of defense; but it works as a first line very effectively. If I rate safety as a number (10 is the best, 0 is the worst): - unpatched sshd on port 22 - safety is zero (will be hacked by automated script in a few weeks) - patched sshd on port 22 - safety is 5 (even patched sshd have a bugs, and I do not know, what happen first - I patch next bug or hacker's script find this sshd and hack it) - unpatched sshd on port 30013 - safety is 7 (higher) because no one automated script can find it, and no one manual scan find it in reality - patched sshd on port 30013 - safety is 9 - turn off power - safety is 10. Secure system, is a dark system. (I did not rated firewalls etc). > > Go grab nessus (www.nessus.org), modify the code a bit, and I guarantee you Yes, correct. Do it. Measure scan time, and you will be surprised. Open old logs, and you will found, that such things are not used, they are absolutely not effective for any wide scanning. And they are very easy to detect by IDS systems (it is useless to detect port 22 scan - every hacker is doing it). Scan 65000 ports by T1 link, using 'nessus', and see the time and traffic. It can be used by insider on 100,000 Mbit network only, and (just again) such scan will be 100% catched by any IDS. > that your ssh daemon running on a non-standard port can still be found, > identified, and exploited. Trivial. Can != WILL. It WILL NOT. And it is FIRST line of defense. But this line decreases attacks level at 10,000 times, And it costs 0 (zero). Do not read _smart books_ without some thinking. (There are many cases, where it is impossible. But if it is possible, use it). Second line of defense is patched system, host IDS etc etc - standard security. It shuld not be the first line. And it should not be the last line. Last line of defense is HoneyPot. PS. I worked as a RU-CERT expert, make a traps, found and told with hackers, investigated many cases, so I have some background. And, of course, I know _smart books theory_. > > -b >
|