From owner-freebsd-security Tue Mar 27 16:12: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id 51ABE37B71B for ; Tue, 27 Mar 2001 16:11:57 -0800 (PST) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id SAA23372; Tue, 27 Mar 2001 18:11:56 -0600 (CST) (envelope-from jeff-ml@mountin.net) Received: from dial-59.tnt1.rac.cyberlynk.net(209.224.182.59) by peak.mountin.net via smap (V1.3) id sma023293; Tue Mar 27 18:11:12 2001 Message-Id: <4.3.2.20010327173917.02803ae0@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Tue, 27 Mar 2001 18:09:11 -0600 To: security@FreeBSD.ORG, security@FreeBSD.ORG From: "Jeffrey J. Mountin" Subject: Re: SSHD revelaing too much information. In-Reply-To: <20010327173454.J12888@pir.net> References: <4.3.2.20010327160147.02c1b6c0@207.227.119.2> <20010327005503.J5425@rfx-216-196-73-168.users.reflex> <20010327005503.J5425@rfx-216-196-73-168.users.reflex> <4.3.2.20010327160147.02c1b6c0@207.227.119.2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 05:34 PM 3/27/01 -0500, Peter Radcliffe wrote: Argh, this can go on and on... >I'd rather they wasted their time trying to compromise vunerable >machine and leaving tracks that are noticable than heading directly to >the vunerable machines and compromising them without leaving tracks. Presuming the first "vulnerable" needs and "un" prefix and say that this sounds like a shell game method of hoping they don't find the vulnerable system. Better to spend time keeping up-to-date than shuffling and hope they don't guess the right shell or server. Chances are they will be scanning blocks of IPs and if that is the case no slight-of-hand will hide the fact of where the vulnerable system is. > > Something that no has pointed out yet is that if you try to limit the > > information the system displays or not for that matter, you might attract > > the attention of someone that likes a challenge. Sure there are far more > > script kiddies, but would lump the obscurity idea along with boasting a > > system is not vulnerable. Bragging might attract the wrong types to test > > the truth of such a statement. For certain that might help when it turns > > out it isn't true, but would be a hassle regardless. > >Do you leave your doors unlocked in case someone breaks it down, too ? More to point is that regardless if you say "this door is locked" or not doesn't mean they won't try it. Saying we upgraded the lock from the cheap lockset might make them try another house. All cute wording aside, there was a time when I removed the version number from a daemon and found that the number of probes increased. Did it make the system any more secure, no. Almost as bad as using a "honey pot" to lure the bears away. Before they only came around now and again. Now they come for the honey you put out. Attracting more bears may not be necessary bad, but can increase the risk of an "incident." Better to spend time limiting the loss should the house be broken into than hiding the fact there is a house there. Obscurity is a waste of time for little benefit IMO. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message