From owner-freebsd-questions@FreeBSD.ORG Thu Feb 9 04:33:40 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D90916A420 for ; Thu, 9 Feb 2006 04:33:40 +0000 (GMT) (envelope-from chrcoluk@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE9C043D45 for ; Thu, 9 Feb 2006 04:33:39 +0000 (GMT) (envelope-from chrcoluk@gmail.com) Received: by wproxy.gmail.com with SMTP id i27so29316wra for ; Wed, 08 Feb 2006 20:33:39 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=tk7qOQYKTUIrC4rxRrWfjpN/URQki40XZ6WPaZfDuqDEnb6D/qQ3x0HQzR+bp17muorNVUv5mTOJIw8mLqzBUA5CgStFaOQxzglP7diGI7n7+wX3GDhBqzF7NlPAI+pM2AJE0DApLY9Tu4n+1fqu5J6pT6b75TQAmWqjdiueYsY= Received: by 10.54.114.14 with SMTP id m14mr1225805wrc; Wed, 08 Feb 2006 20:33:39 -0800 (PST) Received: by 10.54.113.13 with HTTP; Wed, 8 Feb 2006 20:33:38 -0800 (PST) Message-ID: <3aaaa3a0602082033k10a927fcg@mail.gmail.com> Date: Thu, 9 Feb 2006 04:33:38 +0000 From: Chris To: David Scheidt In-Reply-To: <20060207035522.GA17514@panix.com> MIME-Version: 1.0 References: <5ceb5d550602051357r27f07864lb408168902a68e12@mail.gmail.com> <20060205235513.GA20707@panix.com> <20060207004022.3e238768.atissita@btv.lv> <20060207035522.GA17514@panix.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Atis , freebsd-questions@freebsd.org Subject: Re: IP Banning (Using IPFW) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Feb 2006 04:33:40 -0000 On 07/02/06, David Scheidt wrote: > > On Tue, Feb 07, 2006 at 12:40:22AM +0200, Atis wrote: > > On Sun, 5 Feb 2006 18:55:13 -0500 > > David Scheidt wrote: > > > > > > > > Nonsense. There may be some people that only scan well-known ports, > > > but it's much more common to scan every port on a machine. If you're > > > running a server on a non-standard port, an attacker will find it. > > > > > > > sure, but 99% of the time the machines attacking your server are zombie= s > > that do not care to do a full portscan. i suppose the purpose is to > > find other misconfigured, easy-to-hack computers on the network. by > > putting your services on non-standard ports you get rid of these > > mindless drones and don't pollute log files with useless garbage. > > > > now if somebody _does_ actually target your server in particular then > > this is definitely not the solution. > > > > anywayz, putting things on non-standard ports helps a lot, and is > > one of the first and easiest security measures an administrator > > may consider. > > > > Taking your clothes off and painting yourself blue is also one of the > first and easiest security measures to consider. It's even more > effective, too. I know of no machine that's been cracked that had a > wheel naked and painted blue. I've seen lots running standard > services on non-standard ports. > > Security through obscurity doesn't work, it makes tracking down > other problems harder, and creates work to maintain non-standard > configurations. I understand his point, I see 2 types of problems we have to deal with. Th= e thousands of drones that scan for boxes that are vulnerable to a specific exploit, they will often scan ip ranges on a specific port and if its open see if its vulnerable. For these types of intruders chnging ports is very effective since you would simply be skipped past on their scan, for most of us 99% of attempted intrusions are zombie based or some script a kid has downloaded of the web. The argument against changing ports is of course when you have a persistent hacker who wants in, he will of course scan all the ports and find the service and this type of protection is nullified. In this scenario if you havent taken additional measures to secure the box then you may be in trouble, I personally move things like sshd of its normal port simply to stop my log= s been flooded with brute force logins and since I am the only one who uses ssh there is no downside to it, I of course dont rely on this alone and kee= p my software up to date amongst other security measures it is simply an extr= a layer of skin on the onion. For things like httpd I keep on port 80 as I think moving the port of that is more hassle then its worth. Chris