On 2/9/06, Chris <[EMAIL PROTECTED]> wrote: > On 07/02/06, David Scheidt <[EMAIL PROTECTED]> wrote: > > > > On Tue, Feb 07, 2006 at 12:40:22AM +0200, Atis wrote: > > > On Sun, 5 Feb 2006 18:55:13 -0500 > > > David Scheidt <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > Nonsense. There may be some people that only scan well-known ports, > > > > but it's much more common to scan every port on a machine. If you're > > > > running a server on a non-standard port, an attacker will find it. > > > > > > > > > > sure, but 99% of the time the machines attacking your server are zombies > > > that do not care to do a full portscan. i suppose the purpose is to > > > find other misconfigured, easy-to-hack computers on the network. by > > > putting your services on non-standard ports you get rid of these > > > mindless drones and don't pollute log files with useless garbage. > > > > > > now if somebody _does_ actually target your server in particular then > > > this is definitely not the solution. > > > > > > anywayz, putting things on non-standard ports helps a lot, and is > > > one of the first and easiest security measures an administrator > > > may consider. > > > > > > > Taking your clothes off and painting yourself blue is also one of the > > first and easiest security measures to consider. It's even more > > effective, too. I know of no machine that's been cracked that had a > > wheel naked and painted blue. I've seen lots running standard > > services on non-standard ports. > > > > Security through obscurity doesn't work, it makes tracking down > > other problems harder, and creates work to maintain non-standard > > configurations. > > > I understand his point, I see 2 types of problems we have to deal with. The > thousands of drones that scan for boxes that are vulnerable to a specific > exploit, they will often scan ip ranges on a specific port and if its open > see if its vulnerable. For these types of intruders chnging ports is very > effective since you would simply be skipped past on their scan, for most of > us 99% of attempted intrusions are zombie based or some script a kid has > downloaded of the web. > > The argument against changing ports is of course when you have a persistent > hacker who wants in, he will of course scan all the ports and find the > service and this type of protection is nullified. In this scenario if you > havent taken additional measures to secure the box then you may be in > trouble, > > I personally move things like sshd of its normal port simply to stop my logs > been flooded with brute force logins and since I am the only one who uses > ssh there is no downside to it, I of course dont rely on this alone and keep > my software up to date amongst other security measures it is simply an extra > layer of skin on the onion. For things like httpd I keep on port 80 as I > think moving the port of that is more hassle then its worth. I've seen someone mention how to move httpd to a non-reserved port (ie 8080), and let that change be transparent for the end-user by using ipf. I dont know how, though. > > Chris > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
