[CentOS] duqu

Wed Dec 7 14:37:25 UTC 2011
Bowie Bailey <Bowie_Bailey at BUC.com>

On 12/7/2011 7:07 AM, Lamar Owen wrote:
> On Tuesday, December 06, 2011 08:06:55 PM James A. Peltier wrote:
>> [Changing the port #] is completely and utterly retarded.  You have done *NOTHING* to secure SSH by doing this.  You have instead made it only slightly, and I mean ever so slightly, more secure.  A simple port scan of your network would find it within seconds and start to utilize it.
> Simple port scans don't scan all 65,536 possible port numbers; those scans are a bit too easy for IDS detection and mitigation.  Most scans only scan common ports; the ssh brute-forcer I found in the wild only scanned port 22; if it wasn't open, it went on to the next IP address.
>
> Unusual port numbers, port knocking, and similar techniques obfuscate things enough to eliminate the 'honest' script-kiddie (that is, the one that doesn't know any more that what the log of the brute-forcer I found showed, that the kiddie was going by a rote script, including trying to download and install a *windows 2000 service pack* on the Linux server in question).  This will cut down the IDS noise, that's for sure.  And cutting down the information overload for the one tasked with reading those logs is important.
>
> Of course, it could be argued that if you have port 22 open and you get those kiddies, you can block all access from those addresses with something like fail2ban (and pipe into your border router's ACL, if that ACL table has enough entries available.....).

Now there's an idea.  Run your SSH server on a non-standard port and put
something on port 22 that does nothing but listen for connections and
then block any IP that tries to connect (via fail2ban or whatever). 
That way the script kiddies have no chance of getting in on port 22 and
anyone who tries is now blocked on all ports or even blocked from the
entire network.

-- 
Bowie