North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: sniffer/promisc detector
On 1/20/2004 at 09:18:07 -0800, Alexei Roudnev said: > > > > > > Uhm, that would be wrong. This is simply "security through obscurity". > Yes, it is wrong for the _smart books_. But it works in real life. Of > course, it should not be the last line of defense; but it works as a first > line very effectively. > > If I rate safety as a number (10 is the best, 0 is the worst): > - unpatched sshd on port 22 - safety is zero (will be hacked by automated > script in a few weeks) > - patched sshd on port 22 - safety is 5 (even patched sshd have a bugs, and > I do not know, what happen first - I patch next bug or hacker's script find > this sshd and hack it) > - unpatched sshd on port 30013 - safety is 7 (higher) because no one > automated script can find it, and no one manual scan find it in reality > - patched sshd on port 30013 - safety is 9 > - turn off power - safety is 10. Secure system, is a dark system. > > (I did not rated firewalls etc). Actually, an automated script or manual scan can find it trivially. All you have to do is a quick port scan, looking for this: 12:31 biohazard~>telnet [somewhere] [port] Trying [ip_address]... Connected to localhost. Escape character is '^]'. SSH-1.99-OpenSSH_3.4p1c Plus, if you put it on a non-standard port, you tend to use the same one across the enterprise, so it is only really obscure once. Moving port numbers only protects you against idle vandalism; it is useless against people who truly wish you harm. You really need a firewall, particularly one that can detect a port scan and shut off the scanner, for changing ports to have any real security. It is kind of like a 4-digit PIN being useless for a bank card without the 3-try limit. -Dave
|