Wacha, Andras wrote:
Hello,
John Summerfield wrote:
8. As I noted elsewhere, I don't recommend simply using a different
port. A portscan will find it quite easily, and you won't be as secured
as you might think.
Portscans could be eliminated -- or at least made very difficult -- by
using portsentry (sourceforge.net/projects/sentrytools). I simply put
ssh from port 22 to 1234 (say), and arm portsentry to listen on 22 (and
others, where common services are usually listening, eg. telnet, ftp,
smtp, finger...). If someone does a portscan, portsentry immediately
locks that ip out (with iptables or route or hosts.deny). Watch out
however, as source ip addresses may be spoofed, so a "legitimate"
computer can also become blocked. I suggest to whitelist some hosts (eg.
your desktop machine on the LAN), in case you get locked out
accidentally.
I'm loathe to use software not part of my distro, because the onus is
even more on me to track versions and watch for security problems. I do
use such software, I'm just not keen on it.
If a distro lacks much of the software I want, then I conclude it's the
wrong distro for this particular task. Debian tends to win on occasion
because if its enormous array of software which (unlink Ubuntu) is all
supported.
I have seen portsentry recommended before, but I don't think I've given
it more than a cursory inspection. I cannot say that I find the website
inspiring, it does not clearly describe its purpose, how it works or how
to use it. The mailing list archives are full of spam (at least, the
first page of their indexes), and help on the forums is limited.
I personally don't see a need for me to avoid portscans as I don't hide
services on non-standard ports. The attacks I do see are fairly blunt:
if the script kiddie has an ssh test, he runs it on port 22 without
bothering with a portscan. OTOH, if his script's purpose is to test IIS,
he runs it on port 80 (and doesn't seem fazed to find Apache there).
Rather than run ssh on a non-standard port, my preference is to use a
VPN, and openvpn is the second non-standard software I use on
RHEL-clone. openvpn provides encrypted communications over a private
network which can encompass the globe. I install it on my gateways, it
can be inside the firewall, and I install it on my laptop(s). It
requires of the firewall nothing more than an open UDP port.
--
Cheers
John
-- spambait
[EMAIL PROTECTED] [EMAIL PROTECTED]
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)
