On Tuesday 03 January 2012 07:57:47 Les Mikesell wrote:
On Tue, Jan 3, 2012 at 4:28 AM, Bennett Haselton bennett@peacefire.org wrote:
But assuming the attacker is targeting my production system, suppose they find a vulnerability and obtain the ability to run commands as root on the system. Then wouldn't their first action be to remove restrictions on where you can log in from? (Or, they could just continue to run root commands using whatever trick they'd discovered?)
No, they'd probably replace your ssh binary with one that makes a hidden outbound connection to their own control center. And replace netstat with one that doesn't show that connection. If anyone has ever gotten root access, all other bets are off - those tools are a dime a dozen.
Those kind of things can be detected with SHA512 (for example)
Yes, but the argument for "security over obscurity" is that the "secret" should reside in something that cannot be obtained even in trillions of trillions of guesses (i.e. a strong password), not in something that could be obtained in a few dozen or a few thousand guesses (i.e. finding OpenVPN listening on a given port). The reason being is that if something is obtainable in a few thousand guesses, then it will create the illusion of being unguessable, but an attacker could still get it.
Openvpn runs over UDP. With the tls-auth option it won't respond to an unsigned packet. So without the key you can't tell the difference between a listening openvpn or a firewall that drops packets silently. That is, you can't 'find' it.
We are not going to argue drop vs reject, are we? :P
Unfortunately it may not be possible to tell that a particular safeguard ever actually "worked" or made a difference. How could you ever know, for example, that an attacker was stopped because you used an ssh key instead of a 12-character truly random password?
If you look at your logs under normal conditions, you'll know if someone has tried and failed a password login. After someone has gotten in, it may be too late because they can destroy the evidence. Logging remotely to a more protected machine can help a bit.
Remote syslog? that way they'll have to hack into two different machines...
Regards