Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.os.linux.development.apps > #283
| Date | 2011-12-01 16:19 +0100 |
|---|---|
| From | David Brown <david@westcontrol.removethisbit.com> |
| Newsgroups | comp.os.linux.development.apps |
| Subject | Re: Security problem |
| References | (1 earlier) <cd90j8-mnq.ln1@crazy-horse.bildanet.com> <5LadnfB9uvXse_3TnZ2dnUVZ7oGdnZ2d@lyse.net> <jb7kle$7it$1@dont-email.me> <ZP6dnXFAC4ua8krTnZ2dnUVZ8h6dnZ2d@lyse.net> <87ipm0quu6.fsf@sapphire.mobileactivedefense.com> |
| Message-ID | <48CdnRF6pcCgBkrTnZ2dnUVZ7tmdnZ2d@lyse.net> (permalink) |
On 01/12/2011 14:34, Rainer Weikusat wrote: > David Brown<david@westcontrol.removethisbit.com> writes: >> On 01/12/2011 11:24, Noob wrote: >>> David Brown wrote: >>> >>>> The easiest and most effective step to limiting dictionary attacks is >>>> simply to use a non-standard port. Put your sshd on port 222 instead of >>>> 22, and no attacker will ever find it. >>> >>> Famous last words. >>> >>> Meet nmap. >> >> Worms and script kiddies go for standard ports, using common login >> names and passwords, on large ranges of IP addresses. > > Yes. And the solution to this problem is to use 'strong' passwords or > no passwords at all but key based authentication. > No, that is /part/ of the solution. There are many things that contribute to increasing the security and reducing the risk of successful attacks. Strong passwords and/or key-based authentication are only one method (though it is normally the most important method). In security, if you ever think you have found /the/ solution to something, you probably haven't. And of course when I wrote a categorical "no attacker will ever find it", it was a little tongue-in-cheek - I believe it was obvious to people following this thread at the time that this meant "it is very unlikely for an attacker to find it". >> If an IP address doesn't have an sshd on port 22, they find a >> different address that does. Why waste time on a system that is >> harder to break into when there are so many others around? > > This is a self-defeating strategy: The more people hide their keys > under the backdoor doormat instead of the frontdoor doormat, the more > likely it becomes that 'lazy burglars' will routinely check both. > And even a lazy burglar might occasionally get bored and try the other > doormat just for a change. > We are not talking about back door or front door mats. Clearly I am not suggesting that "everyone" changes their sshd port to 222 instead of 22. I am suggesting that people who want to avoid drive-by's change their port to something /other/ than 22. There about 65,000 alternatives, excluding other well-known ports that might otherwise be scanned by scripts. So instead of hiding your key under the doormat, you are hiding it under a stone on the beach. It takes time to find it - so unless the burglar has particular reason to break into exactly this particular house, he'll try elsewhere. Think of it as another password. It's a smaller key space than normal passwords, but it is big enough to be useful. And it's cheap to implement and cheaper (in bandwidth and processor time) for the server to check than a normal password (which you still have, obviously). It also makes it very easy to have triggers that block attackers entirely - set up your rules so that anyone probing port 22 gets blocked for half an hour. Anyone looking under the doormat before trying every stone in the garden thus sets off the alarms immediately. (Of course, you have to be careful there to avoid valid users triggering it by mistake.) >> Of course you don't put sshd on port 222 and then put your root >> password as "secret". But as part of a security strategy it is >> excellent for cutting out virtually all drive-by attacks, and reducing >> the noise in your logs. > > It is a minor pain-in-the-ass for users and It could be inconvenient for users, though it is not a problem for normal ssh connections. But if people are using programs that try to connect over ssh and expect standard ports, it can get messy - for example it would complicate ssh+svn URL's for subversion over ssh. It's just one tool in the toolbox - it doesn't fit all circumstances. > actually, antisocial > behaviour (at least in some theoretical sense): When you notice > 'lights on and strange noises' in your neighbour's house while he's on > holiday, you should call the police (send a complaint to the abuse > address corresponding with the IP) instead of thinking "Glad they > didn't come over here" and turn back to your TV. > The analogy has broken down long before this stage. You don't see attacks on "neighbouring" IP addresses no matter how hard you look. Or do you mean it is anti-social to make my systems hard to crack, because that makes attackers more likely to go somewhere else? > NB: I usually ignore apnic break-in attemtps altogether but I usually > try to notify someone if the compromised system used by the attacker > appears to belong to some 'generally reputable organization' (aka > university). This is not supposed to imply that 'those Chinese people > are all crooks, anyway', just a realistic assessment of the chance to > reach someone there who understand English well enough to make sense > of the mail. Certainly if I know about an attack attempt on my systems or someone else's, I'd try to help out or inform the relevant people - just like if I saw a real burglar in a neighbour house. But I don't have the resources to track down every script-kiddie and worm - I prefer that their attempts get dropped and don't even make my log files.
Back to comp.os.linux.development.apps | Previous | Next — Previous in thread | Next in thread | Find similar
Security problem jacob navia <jacob@spamsink.net> - 2011-08-31 01:29 +0200
Re: Security problem GangGreene <GangGreene@invalid.com> - 2011-08-30 19:47 -0400
Re: Security problem jacob navia <jacob@spamsink.net> - 2011-08-31 02:20 +0200
Re: Security problem David Brown <david@westcontrol.removethisbit.com> - 2011-09-02 16:19 +0200
Re: Security problem Noob <root@127.0.0.1> - 2011-12-01 11:24 +0100
Re: Security problem David Brown <david@westcontrol.removethisbit.com> - 2011-12-01 13:11 +0100
Re: Security problem Rainer Weikusat <rweikusat@mssgmbh.com> - 2011-12-01 13:34 +0000
Re: Security problem David Brown <david@westcontrol.removethisbit.com> - 2011-12-01 16:19 +0100
Re: Security problem Rainer Weikusat <rweikusat@mssgmbh.com> - 2011-12-01 17:10 +0000
Re: Security problem David Brown <david.brown@removethis.hesbynett.no> - 2011-12-01 23:17 +0100
Re: Security problem Rainer Weikusat <rweikusat@mssgmbh.com> - 2011-12-01 22:34 +0000
Re: Security problem David Brown <david@westcontrol.removethisbit.com> - 2011-12-02 10:25 +0100
Re: Security problem Richard Kettlewell <rjk@greenend.org.uk> - 2011-12-02 10:37 +0000
Re: Security problem Rainer Weikusat <rweikusat@mssgmbh.com> - 2011-12-02 14:44 +0000
Re: Security problem David Brown <david@westcontrol.removethisbit.com> - 2011-12-02 17:11 +0100
Re: Security problem André Gillibert <MetaEntropy.removeThis@gmail.com> - 2011-12-03 11:45 +0100
Re: Security problem Noob <root@127.0.0.1> - 2011-12-05 13:26 +0100
Re: Security problem Carlos Moreno <moreno_news@mailinator.com> - 2011-09-01 11:47 -0400
Re: Security problem Richard Kettlewell <rjk@greenend.org.uk> - 2011-09-01 17:01 +0100
Re: Security problem Carlos Moreno <moreno_news@mailinator.com> - 2011-09-01 15:48 -0400
Re: Security problem Richard Kettlewell <rjk@greenend.org.uk> - 2011-09-01 22:44 +0100
Re: Security problem Richard Kettlewell <rjk@greenend.org.uk> - 2011-09-02 14:27 +0100
Re: Security problem Jasen Betts <jasen@xnet.co.nz> - 2011-09-02 11:06 +0000
Re: Security problem Richard Kettlewell <rjk@greenend.org.uk> - 2011-09-02 13:49 +0100
Re: Security problem Carlos Moreno <moreno_news@mailinator.com> - 2011-09-02 13:58 -0400
Re: Security problem Richard Kettlewell <rjk@greenend.org.uk> - 2011-09-02 19:31 +0100
Re: Security problem "Ersek, Laszlo" <lacos@caesar.elte.hu> - 2011-09-01 21:01 +0200
csiph-web