From: Phil Frederick (flosofl@gmail.com)
Date: Mon Jun 05 2006 - 14:03:51 EDT
"I beg to differ with you -- running a standard service on a non-standard
port is a bid for security through obscurity."
You know I see people accepting this as gospel all the time. The
origin of this was referring to crptographic systems - specifically
algorithms. If your algorithm required it to be secret, you most
likely had/have a weak enciphering system. It does not refer to
changing default ports, hiding services, squelching certain types of
ICMP traffic, etc... If you accept this as true, you probably don't
change the name of the admin account on MS systems from
"Administrator" to something else.
Applying stealth and obfuscation to enhance security is no problem as
long as that is not the primary line of defense. There is not one
thing wrong with this. It is simply one more layer of mitigating
controls to be used *in addition* to those you outlined (which was
good advice, by the way).
Changing a port to a non-standard one is a perfectly reasonable
action. But, that should not be the only mitigation you put in place.
A simple discovery scan will easily find SSH running on port whatever
thanks to the banner text. However, it will probably reduce the
number script-kiddies trying SSH scripts by significant amount.
Personally, I don't change ports because of the sheer size of the
company I'm (100K+ employees). The logistics involved to inform
everyone who would need to know would be a nightmare. If this was a
smaller company (say less than 200 needed SSH access) I would probably
consider port changing as one of many controls being used.
To the original question: I am unaware of new exploit script for SSH,
but it has been a few weeks since I've haunted any of the IRC trading
grounds. It is very possible something new is making the rounds
(although I've noticed no increase in activity on my Firewall/IDS
logs)
On 6/5/06, Michael Sierchio <kudzu@tenebras.com> wrote:
> shane@aplv.com wrote:
> > I agree with Morning Wood 100% .... Running sshd on port 22 anymore in
> > this day
> > and age is really not a smart decision, ...
>
> I beg to differ with you -- running a standard service on a non-standard
> port is a bid for security through obscurity.
>
> Things that might be useful:
>
> Use auth methods that are sufficiently strong (pubkey only,
> PAMified OPIE or S/Key, etc.)
>
> Authenticated firewall traversal for protected services
>
> Tarpit connections from bad actors
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:02 EDT