[CentOS] security by obscurity [was: CentOS VPN server for iPhone]

Thu Mar 26 23:43:17 UTC 2009
Robert Moskowitz <rgm at htt-consult.com>

Let me introduce myself:

Robert Moskowitz, ICSAlabs, an Independent Division of Verizon Business 

Security IS my business and I am a bit of a 'maverick' even in the labs 
on my positions. ICSAlabs is the company that certifies products: 
Firewalls, malware, IDS, IPsec, SSLvpn, etc.

Florin Andrei wrote:
> Joseph L. Casale wrote:
>>> The non-standard port is a good trick,
>> Here's just an opinion: Security by obscurity only
>> makes >you< feel good, it does nothing in reality.
>> Anyone sufficiently talented to hack a service in
>> order to gain root or do something useful would not
>> be fooled by that. Set whatever your doing up right
>> so that any false sense of security is not deemed
>> necessary.
> I've seen this before - when the non-standard port trick is mentioned, 
> somebody usually gets up and goes "it's security by obscurity! it does 
> nothing to protect you! it only gives you the fuzzies!"
> I think that's a nice example of pervasive fallacious binary thinking, 
> combined with an old tired slogan that by all rights should be dead by now.

Binary thinking will get you 0wned in security. Defense in depth and 
raising the bar.

> First off, it's doesn't do "nothing". It does make things a bit harder 
> for the attacker. Not much, but it's not zero either. It does eliminate 
> a whole class of attacks actually - the mass scanbots or the most 
> moronic script kiddies, which by the way represent the highest volume of 
> malicious traffic on almost any public network. If I can do something to 
> avoid getting 0wned by a pimple-face armed with a zero-day exploit and a 
> bunch of bots scanning the Internet for standard ports, by all means 
> I'll do it. I can't do this for a public server, which by definition 
> must stand out in the clear; but for private-use stuff, why not if it's 
> not too cumbersome for me? All I need is buy myself 24 hours of respite, 
> until I get the patch, and the non-standard port may well do that for 
> me. Or not. It's a gamble, yes, like everything else in the real world.

Just moving SSH to a high port, will stop a lot of traffic coming in on 
your DSL/cable link. When the bots find port 22, they start pounding. 
They don't portscan (at least not today), there are too many 
opertunities at port 22 for them. This is one of the first steps I do 
whenever I build a Linux system. It also cuts down on logging of all of 
those failed logins that end up in your nightly cron report.

Then I DO set up rate limiting using shorewall, but this does not help 
me much with IPv6 SSH on Centos...

> Secondly, nobody said that was the only line of defense. I do use other 
> mechanisms as well. That's how security works, by wrapping your stuff in 
> several layers of protection. You deploy several different measures, 
> working in various ways, and hope they cover each other's holes.

Rate limiting on some services is another tool. Look for what makes 
sense for you and look at your total picture. Perhaps you only have one 
system that you tunnel into that gives you access to all others. So that 
one system is really hardened. But the others are not neglected, but 
perhaps don't need the same level of protection.

Yes make things obscure as one of the first steps and go from there.

> Lastly, there is *absolutely no security measure* that is perfect. By 
> the same token, we should not use firewalls, because they can be 
> circumvented by people who are skilled enough, nor use passwords, 
> because they can be guessed or brute-forced. And so on.
> If a security measure doesn't make things too hard for the user and/or 
> for the administrator (and it this case it doesn't, myself being one of 
> the very few users and the sole admin), and it's not too expensive, then 
> it should probably be used. It's one more peel added to the security 
> "onion" and it's a plus, not a minus or a zero.
> Ironically, exactly the people claiming to give security "advice" by 
> saying this measure or another "does nothing in reality" because it's 
> "security by obscurity", it's them who, in my view, show they don't 
> really understand what security actually is. Brandishing a bunch of 
> slogans does not equate with being knowledgeable in this field. 
> Technical skills, experience, and a measure of realism and common sense 
> are required instead.

What is the threat.
What is your risk.
What is the cost.

If any of those is zero, the product is zero. (per Dr. Peter Tippet, my 

> You may want to read about the various cryptographic algorithms - they 
> work, in essence, by "obscuring" the cleartext. The patterns are still 
> there, they are just made hard to distinguish from the pseudo-noise by 
> the algorithm - the better the crypto, the fainter the patterns. That's 
> how some ciphertext-only attacks work, by looking for evanescent 
> patterns in the sea of seeming randomness.
> It's a scary thought if you spend time considering it, but in practice 
> strong crypto does work to some extent. But if it's just "security by 
> obscurity" should we not use crypto either?

Now you are playing with semantics. IMHO.

> Yes, "security by obscurity" is useless when it's alone, but it can be 
> good if used appropriately and combined with various other measures. We 
> should put this slogan to rest by now, it's 2009 already. Sheesh.
And next year is the last that NIST says we can use SHA-1...

The END is near, the sky is falling.

:) Too much IETF discuss time. But boy did it feel good. Like the drug 
it is.