On Fri, 24 Dec 2004 18:19:34 +1300, Ben Hawkes <[EMAIL PROTECTED]> wrote:
> the internet being high enough to be an attractive target for a worm. In > the end, running a service on a non-standard port at this point in time > is a useful part of a layered security approach, if only to inhibit > worms. Not only the worms. Consider this scenario - person gets on his hand new sshd 0day exploit and now wants to play with it. He starts to find possible victims. How he starts to find them, what is the most logical approach? He chooses some c class /24, takes out his favorite scanner and starts sweep through class c to find port 22. Why? - scanning through all 65535 is very inefective and time consuming - amount of people who relocated sshd to some other port is marginal - in he does not find somone vulnerable quick enough, he might lose his intrest - he is not attacking somone in person, he is just fishing, seaching anyone, who is running sshd. If your computer port 22 does not answer to the scan, you are omitted, he goes on and does not waste his time to your computer - there are plenty other fishes in the sea. I'e noticed, that most victim searches are performed in similar manner. But things are completly different, if you happened to piss somone of - then you automatically are under his undivided attention. all the best, W. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
