[CentOS] duqu

Wed Dec 7 14:17:24 UTC 2011
Stephen Harris <lists at spuddy.org>

On Wed, Dec 07, 2011 at 07:07:33AM -0500, Lamar Owen wrote:
> On Tuesday, December 06, 2011 08:06:55 PM James A. Peltier wrote:
> > [Changing the port #] is completely and utterly retarded.  You have
> done *NOTHING* to secure SSH by doing this.  You have instead made it
> only slightly, and I mean ever so slightly, more secure.  A simple port
> scan of your network would find it within seconds and start to utilize it.
> Simple port scans don't scan all 65,536 possible port numbers; those
> scans are a bit too easy for IDS detection and mitigation.  Most scans
> only scan common ports; the ssh brute-forcer I found in the wild only
> scanned port 22; if it wasn't open, it went on to the next IP address.

In theory James is correct.  In practice Lamar appears to be.  About a
year back I changed my ssh port and have not since seen password hack
attempts, so the port scanners are definitely not pervasively scanning
all ports.  (Not that they'd have logged in; but it was causing noise
and annoyance in the logs)

Now the same wouldn't be true if I was managing firewalls for Chase or
Bank Of America or Citi or HSBC; you can be sure that they're being 
scanned on all ports and better not have external ssh connections open
to the world!