[Tfug] Stopping repeated login attempts

Bexley Hall bexley401 at yahoo.com
Wed Jan 27 22:02:54 MST 2010


Hi Glen,

> > > > Moving SSH to another port would be like moving the door on 
> > > > your house to prevent burglars from kicking it in.
> > > 
> > > Sure but I don't know many houses that have ~65000 doors =) 
> > > don't think that is a fair?comparison =)
> > 
> > OTOH, you probably don't know many burglars who can
> > kick 1000 doors per second!  ;-)
> 
> You are correct that choosing a non-standard port does not offer 
> any real security. But if you understand that moving SSH to
> another port is akin to hiding the door and does not actually 
> increase security, then I think it is a useful component of
> a security policy.

I wouldn't trust that sort of approach to protect any of *my*
systems.  You're assuming all threats are from "unknowns".

> For low profile individuals/organizations, having hidden doors 
> can prevent many if not most break-ins simply because nobody is 
> looking for them.

Do you know that for sure?  If *I* were designing an attack strategy
(ignoring Windows hosts), I would look for *any* of the well known 
services on a host -- starting with the least complex (ICMP) and
progressing "upward".  I.e., if I get an answer to a ping, then
I know there's a machine there.  If I get an answer to an FTP,
now I know this is a bit more "service rich" machine.  If I get
an answer to a DNS query, HTTP, etc.  Each service that I find
suggests the presence of even *more* services.  I.e., why go looking
for some other host when I've got one in the crosshairs that looks
like it is likely to have even *more* services.

If my eventual attack is based on SSH, then I would start scanning
all ports -- beginning with the reserved ports and working up -- to
see if there's any joy to be found.

Note that Louis commented at how quickly some *other* IP address
found his moved port (granted, he's already poked his head up
and attracted attention)

Security by obscurity is no security.

> On the other hand, a high profile target will get very
> little use out of such measures.

OTOOH, it may be foolish wasting time on a high profile target
as they probably would have institutionalized security (instead
of someone running a server out of their basement)

> 
> -- 
> Glen 
> 
> 
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
> 


      




More information about the tfug mailing list