From owner-freebsd-security@FreeBSD.ORG Mon Nov 21 09:16:04 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04D5416A41F for ; Mon, 21 Nov 2005 09:16:04 +0000 (GMT) (envelope-from MH@kernel32.de) Received: from crivens.unixoid.de (crivens.unixoid.de [81.169.171.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id 80F0343D46 for ; Mon, 21 Nov 2005 09:16:03 +0000 (GMT) (envelope-from MH@kernel32.de) Received: from localhost (localhost [127.0.0.1]) by crivens.unixoid.de (Postfix) with ESMTP id 033233F02; Mon, 21 Nov 2005 10:16:00 +0100 (CET) Received: from crivens.unixoid.de ([127.0.0.1]) by localhost (crivens.unixoid.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14171-14; Mon, 21 Nov 2005 10:15:55 +0100 (CET) Received: from [10.38.0.120] (unknown [212.12.51.89]) by crivens.unixoid.de (Postfix) with ESMTP id 7FBBD3EFF; Mon, 21 Nov 2005 10:15:55 +0100 (CET) Message-ID: <43819049.5090107@kernel32.de> Date: Mon, 21 Nov 2005 10:15:53 +0100 From: Marian Hettwer User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Peter Jeremy References: <3.0.1.32.20051117232057.00a96750@pop.redshift.com> <43818643.5000206@kernel32.de> <20051121085221.GA4267@cirb503493.alcatel.com.au> In-Reply-To: <20051121085221.GA4267@cirb503493.alcatel.com.au> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at unixoid.de Cc: freebsd-security@freebsd.org, ray@redshift.com Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 09:16:04 -0000 Hi there, Peter Jeremy wrote: > On Mon, 2005-Nov-21 09:33:07 +0100, Marian Hettwer wrote: > >>ray@redshift.com wrote: >> >>>Also, if you have access to the router, it's handy to re-write >>>traffic from a higher public port down to port 22 on the server, >>>since that will trip up anyone doing scans looking for a connect on >>>port 22 across a large number of IP's. >>> >> >>No. That's security by obscurity and doesn't make your system even a wee >>bit more secure. > > > It depends what you are guarding against. If someone wants to get into > _your_ system then it's worthless. OTOH, "you don't have to run faster > than the bear, just faster than someone else": Moving your ssh access > off port 22 means that someone doing a network scan of port 22 won't > see your system. This is reasonable protection against script kiddies. > Where is the protection, or rather the danger in being "visible" to script kiddis? There's no security issue valid for script kiddis which wouldn't be valid for any other attacker too. The main question is: Where is the danger in script kiddies with their brute force attacks? I guess it's mainly the annoying fact that your logfile get's unreadable. If that's the problem: use logsurfer or something similar to analyze the logfile. You just don't get more secure by moving the sshd to a different port than port 22. It's like saying "I block pings" (which probably means, hopefully, just blocking ICMP ECHO_REPLY and not ICMP alltogehter), so script kiddy can "see" my box. Crap, it won't help you and doesn't make your system more secure :-) > Definitely, don't rely on it as your only security. But, IMHO, it is > worth doing in addition to other security measures. I still disagree :) It doesn't make your setup more secure. Not a bit. It may keep your logfiles a bit cleaner, but there are other ways to accomplish that. Just my opinion, of course :) - Marian