On 03/27/2013 04:00 PM, Rich Pieri wrote:
--On Wednesday, March 27, 2013 3:28 PM -0400 Bill Horne
<[email protected]> wrote:
When combined with port-knocking, having a non-standard port for a
service like ssh
is an effective means of preventing port-scanning attacks. It doesn't
prevent an
It also makes you vulnerable to denial of service.
in Exim4, but it
_IS_ an effective tool when properly deployed.
I claim that obfuscation cannot be properly deployed. Obfuscation is
wrapping a towel around your head and pretending that if you can't see
the service then neither can anyone else.
Changing the port isn't giving your neighbor the key to your home.
Keys are authentication tokens. The port is analogous to the keyway.
Changing the port is the same as moving the keyway. The lock is still
there and you still need the correct key; you've just moved it up or
down from where it is normally located which is usually a convenient
waist/elbow height.
The only security that you've added is that blind thieves are going to
have a slightly harder time finding the keyway.
While I have practiced a bit of obfuscation, and it does work in some
instances, but you essentially have to lock the doors and board up the
windows. There are many good security tools available. One of the best
is a proactive defense. Try to find out if you are being attacked before
the attacker gets in. For ssh, make sure the keys are secure and long
enough. Check your logs and firewall. If you have to allow passwords,
use the tools to ensure your users have relatively strong passwords.
Additionally, in a business, it is frequently an insider who will break
into systems. He/She is already inside of the firewall.
--
Jerry Feldman <[email protected]>
Boston Linux and Unix
PGP key id:3BC1EB90
PGP Key fingerprint: 49E2 C52A FC5A A31F 8D66 C0AF 7CEA 30FC 3BC1 EB90
_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss
