on 7-22-2008 2:45 PM Les Bell spake the following: > "David Dyer-Bennet" <dd-b at dd-b.net> wrote: > > Yes, but if there are *any* ports exposed, seems like those are equally > possible. > << > > Sort of. Changing the port used by sshd stops the completely clueless > script kiddies, since they don't even bother looking at anything other than > port 22. Putting it way up high, among the ephemeral ports, will slow down > the slightly more clueful who perform nmap scans, since nmap only scans > around 1500 ports by default, and if sshd isn't running on one of those, > they won't spot it. > > However, it won't deter the intelligent or curious attacker; these guys > will scan all ports (slowly, so you may not even notice them) and they will > use banner enumeration to identify the services, rather than assuming. > > Moving sshd to a non-standard port is one of the worst examples of relying > on security by obscurity. Its only advantage is that it cuts out some noise > in the logs, but proper precautions do that as well, without lulling you > into a false sense of security. Rate limiting, combined with enforcement of > really strong passwords, or even better, public/private key authentication, > is real security. > > A useful additional layer of defence, if you want it, is a daemon that will > watch for port scans on the simple services ports and immediately insert a > firewall rule to block that source - such as the old PortSentry, if you can > find it, or some more modern equivalent. Of course, this won't do much to > defend against some types of stealthy scans, such as idle time scans. > Portsentry is still available on sourceforge I believe. But who knows if it will still work or even compile. It was written back in the 2.2 kernel days. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20080722/cbfdd559/attachment-0005.sig>