[CentOS] duqu

Wed Dec 7 12:07:33 UTC 2011
Lamar Owen <lowen at pari.edu>

On Tuesday, December 06, 2011 08:06:55 PM James A. Peltier wrote:
> [Changing the port #] is completely and utterly retarded.  You have done *NOTHING* to secure SSH by doing this.  You have instead made it only slightly, and I mean ever so slightly, more secure.  A simple port scan of your network would find it within seconds and start to utilize it.

Simple port scans don't scan all 65,536 possible port numbers; those scans are a bit too easy for IDS detection and mitigation.  Most scans only scan common ports; the ssh brute-forcer I found in the wild only scanned port 22; if it wasn't open, it went on to the next IP address.

Unusual port numbers, port knocking, and similar techniques obfuscate things enough to eliminate the 'honest' script-kiddie (that is, the one that doesn't know any more that what the log of the brute-forcer I found showed, that the kiddie was going by a rote script, including trying to download and install a *windows 2000 service pack* on the Linux server in question).  This will cut down the IDS noise, that's for sure.  And cutting down the information overload for the one tasked with reading those logs is important.

Of course, it could be argued that if you have port 22 open and you get those kiddies, you can block all access from those addresses with something like fail2ban (and pipe into your border router's ACL, if that ACL table has enough entries available.....).

> A basic qualification to operate a computer would also be nice.  Sad thing is, there is no such thing.

Microsoft has proposed such... of course, the prerequisites would likely include  running the latest Windows....

If you get an 'Internet driver's license' you then have to have a licensing authority, and any time you get that sort of thing involved.... well, you can imagine how it could pan out.