North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: a record?

  • From: Patrick W. Gilmore
  • Date: Sun Nov 20 10:47:13 2005 
On Nov 20, 2005, at 6:17 AM, Elmar K. Bins wrote:
Unfortunately, we now have decades of experience in cybersecurity that
this isn't true. It appears to work for a while, but on the Internet
bears are always hungry and learn. There are people actively scanning
for any open ports running any protocol, without a SPECIFIC interest in
your computer.
Funnily, I see many many more scanning attempts for the same port (or
handful of ports) across entire networks than the other way around.

And as stated before: If somebody scans 63023, he has interest in your
site and is worth the effort of doing something about it. That's the
whole point in changing the port.

Changing the port is not making the system more secure, it only filters
out passers-by.
I'm going to repeat what Sean said, because you clearly didn't read what he said:

"There are people actively scanning for any open ports running any protocol, without a SPECIFIC interest in your computer."

Allow me to re-state again in slightly different language so you understand this time:

Changing your port may (will?) lower the number of automated scans you see hitting your daemon, but it will _NOT_ eliminate them. IOW: Just because someone is probing for an SSH daemon on 65K ports against your box does _NOT_ mean he has a specific interest in your box.

If you honestly believe that just 'cause someone tried "ssh -p 63xxx $YOUR.BOX" it means he is specifically targeting your box, well, that is your prerogative. You are almost certain to be wrong at least part of the time, though.

--
TTFN,
patrick