mouss wrote: > Les Bell wrote: >> mouss <mouss at netoyen.net> wrote: >> >> If you consider this security through obscurity, then why not publish >> the list of your users on a public web page? after all, you should use >> strong passwords, so why hide usernames? >> << >> >> Usernames are comparatively hard to guess, and chosen from a large >> space - >> although email addresses often provide a huge clue. By contrast, there >> are >> only 64K port numbers (and only 1K privileged ports, all of which will be >> scanned by default with nmap) - and to make it worse, the attacker >> only has >> to telnet or nc to a port and sshd will obligingly send back its version >> number and protocol version info as plaintext. So, the added >> "obscurity" is >> effectively zero. >> > > zero? No. On all the boxes where I changed the port, I noticed 0 login > attempt (in ssh logs). before that, the boxes were under continuous > attacks (the last box that was installed was probed one second after it > was connected! after the port change, nothing in ssh logs). call this > zero if you want. > > I do understand that changing the port does not bring real security. but > it avoids silly malware probes. An attacker needs to find the port among > say 30K possible ports. if he uses one host, he will trigger alarms > before he gets a chance to see the banner. that gets us rid of such > attempts, and more time to focus on real miscreants with more power. No _one_ technique will bring security. Good security is layered. Everything you do to make it more difficult to break into your system is adding security. The real question is: how much security do _you_ need to protect your system? > >> And it does nothing for the >> stress level, since the serious adversary will see through your >> non-standard port number in seconds. The serious adversary will use his multi-million host bot-net and do 1 of 2 things: prevent you from using your system or break into it... so why bother? > sure, but he needs to use multiple hosts, as otherwise he will be > detected. I've not yet seen a "distributed" dictionary attack (I mean: > using N machines against a singe target). I guess there are enough > windows targets that they leave at in piece for now ;-p By the time you see it, it will have happened. -- Milton Calnek BSc, A/Slt(Ret.) milton at calnek.com 306-717-8737 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.