Daniel Hulme wrote:
On Sat, May 19, 2007 at 12:24:07PM +0200, A. Pagaltzis wrote:
all you need. F.ex., it would be dumb to run sshd on a port other
than 22, hoping that no one finds it. But if you keep track of
Not really. I run sshd on my home box on a non-default port, because I
was fed up of worms running their dictionaries of uname/password combos
against it, eating my bandwidth and driving my loadavg up the wall. I
Pam_abl is your friend
http://www.hexten.net/wiki/index.php/Pam_abl
keep the box up to date, and my password is non-trivial, so it's not my
only defence, but it makes life easier for me.
nmap makes it easy to find open ports. A script kiddie could run it.
If you want something that provides non-trivial "obscurity", look into
port knocking. You can make the "knocks" as complex as you wish (thus
reducing the possibility of such things being triggered accidentally).
Then again, pam_abl, knocking, obscurity, etc, are passive defense
postures. The user of such technologies needs to understand that none
of them by themselves will guarantee security. In combination none will
guarantee security. But layered defenses give you time to deal with
inbound attackers. You can also employ active defensive postures if
desired. Regardless, for every bit of security, there is a compromise
of that security. The trick is to engineer the compromises to be hard.
Get enough layers of hard, and the target becomes harder to crack than
others that don't.
It also helps to be unabashedly paranoid. They are out to get you, and
we have the log traces to prove it. :(
--
joe
[EMAIL PROTECTED]
www.scalableinformatics.com
_______________________________________________
List: [email protected]
Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/[email protected]/
Dev site: http://dev.catalyst.perl.org/
