North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: a record?

  • From: Alexei Roudnev
  • Date: Sun Nov 20 01:37:42 2005

Security by obscurity eliminates all (100%) of this automated scans and
automated attacks. So, having SSH on port 63023 (for example)  and seen
probes, you can be 100% sure that someone have SPECIFIC interest in your
site, and so you can spend time and investigate, what he is looking for (by,
for example, allowing to break into sandbox). It is impossible with port 22,
because 99.9% of this _attempts_ will be just _blind search attempts_, so
you will not be able to concentrate on _really dangerous_ specific interest
to your (because if I want to break into your site, and if I am serious,
then it is only matter of time when I succeed - for example, I can use
insiders, janitors, faked messages etc... so it is quite important of see
such attacks from beginning, in clear field, and to prevent them by
non-technical methods in addition to technical ones).

It is like 'NO TRESPASSING' sign on your private road - having this sign,
you can be (relatively) sure, that if you see intruder, he is (1) burglar,
(2) someone who lost in space and want to ask _where I am_, (3) FedEXP
delivery guy, but not just _strolling around one without any goal_. It is
first line selection, which is quite important because it decrease number of
events in thousands times.

Of course, this is only SIGN. Add good fence, rifle etc (castle, water
channel, draw bridge, knights -:)) if you have something which bad guys are
interested in. But post NO TRESPASSIGN first of all.

----- Original Message ----- 
From: "Suresh Ramasubramanian" <[email protected]>
To: "Alexei Roudnev" <[email protected]>
Cc: "Patrick W. Gilmore" <[email protected]>; <[email protected]>
Sent: Saturday, November 19, 2005 7:02 PM
Subject: Re: a record?

On 11/20/05, Alexei Roudnev <[email protected]> wrote:
> Other approach exists as well - SecureID on firewall. Login to firewall,
> authenticate, and have dynamic access list which opens ssh for you (and
> still keep ssh on port != 22).

Or VPN in, or set up a tunnel of some sort.  Have ssh available over
the tunneled interface.  Yup, lots of options available.

Though, if you have a secure ssh and reasonable control of your
passwords it is probably safe to leave it at port 22 rather than
resorting to security by obscurity measures like running it on a
higher number port or (as at least one webhost does) running it on
443, with some kind of shim listening on that port, intercepting
requests to it and redirecting them to apache or sshd as appropriate.