[CentOS] duqu

Wed Dec 7 15:04:59 UTC 2011
Johnny Hughes <johnny at centos.org>

On 12/07/2011 08:17 AM, Stephen Harris wrote:
> On Wed, Dec 07, 2011 at 07:07:33AM -0500, Lamar Owen wrote:
>> On Tuesday, December 06, 2011 08:06:55 PM James A. Peltier wrote:
>>> [Changing the port #] is completely and utterly retarded.  You have
>> done *NOTHING* to secure SSH by doing this.  You have instead made it
>> only slightly, and I mean ever so slightly, more secure.  A simple port
>> scan of your network would find it within seconds and start to utilize it.
>> Simple port scans don't scan all 65,536 possible port numbers; those
>> scans are a bit too easy for IDS detection and mitigation.  Most scans
>> only scan common ports; the ssh brute-forcer I found in the wild only
>> scanned port 22; if it wasn't open, it went on to the next IP address.
> In theory James is correct.  In practice Lamar appears to be.  About a
> year back I changed my ssh port and have not since seen password hack
> attempts, so the port scanners are definitely not pervasively scanning
> all ports.  (Not that they'd have logged in; but it was causing noise
> and annoyance in the logs)
> Now the same wouldn't be true if I was managing firewalls for Chase or
> Bank Of America or Citi or HSBC; you can be sure that they're being 
> scanned on all ports and better not have external ssh connections open
> to the world!

Right ... they need a reason to look somewhere else.  If they
specifically wanted that machine, they would scan all ports.  If they
are drive bye script kiddies, then if it is not on port 22 that will cut
down significantly on the drive byes.

Lots of times, they look for a port 22 open to back later, etc.

So, Lamar is correct.  It does not do anything to prevent a determined
attack ... but it does greatly reduce the chance someone will randomly
pick your machine for an attack.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20111207/5f710f81/attachment-0005.sig>