[CentOS] One approach to dealing with SSH brute force attacks.
Warren Young
warren at etr-usa.comThu Jan 31 21:17:32 UTC 2008
- Previous message: [CentOS] One approach to dealing with SSH brute force attacks.
- Next message: [CentOS] adaptec 2100S drivers
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
James B. Byrne wrote: > > I am not a fan of security through obscurity. You're diluting a useful phrase. It originally referred to practices where obscurity was the _only_ source of security. As soon as you saw through the obscurity, there was no security. Of course, this means that there was no real security to begin with. Hiding telnet by changing its listening port would be security through obscurity. Changing ssh's service port is not at all the same thing. If you get past this bit of obscurity, security remains. To employ another popular phrase, it's defense in depth. The more walls you can throw up, the less stress on the final wall that stops the attack. If you don't like those arguments, the CPU usage difference should matter to you. Your system can reject (or ignore) a connection to an unused port with a lot less CPU power than it takes to reject a login attempt, especially to a cryptographically protected service. And, the post that started this says there's a 96% chance that the port rejection runs the attacker off completely, whereas a password rejection just invites another attempt. So, one TCP RST packet vs. several thousand login attempts. Which would you rather allocate CPU resources for?
- Previous message: [CentOS] One approach to dealing with SSH brute force attacks.
- Next message: [CentOS] adaptec 2100S drivers
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list