From owner-freebsd-security@FreeBSD.ORG Mon Nov 21 12:37:27 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74B7E16A41F for ; Mon, 21 Nov 2005 12:37:27 +0000 (GMT) (envelope-from ray@redshift.com) Received: from outgoing.redshift.com (outgoing.redshift.com [207.177.231.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3CA2643D49 for ; Mon, 21 Nov 2005 12:37:27 +0000 (GMT) (envelope-from ray@redshift.com) Received: from workstation (216-228-19-21.dsl.redshift.com [216.228.19.21]) by outgoing.redshift.com (Postfix) with SMTP id 2BB5B97A3A; Mon, 21 Nov 2005 04:37:26 -0800 (PST) Message-Id: <3.0.1.32.20051121043723.00aa1490@pop.redshift.com> X-Mailer: na X-Sender: redshift.com Date: Mon, 21 Nov 2005 04:37:23 -0800 To: Marian Hettwer , Peter Jeremy From: ray@redshift.com In-Reply-To: <43819049.5090107@kernel32.de> References: <20051121085221.GA4267@cirb503493.alcatel.com.au> <3.0.1.32.20051117232057.00a96750@pop.redshift.com> <43818643.5000206@kernel32.de> <20051121085221.GA4267@cirb503493.alcatel.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: freebsd-security@freebsd.org Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 12:37:27 -0000 At 10:15 AM 11/21/2005 +0100, Marian Hettwer wrote: | Hi there, | | Peter Jeremy wrote: | > On Mon, 2005-Nov-21 09:33:07 +0100, Marian Hettwer wrote: | > | >>ray@redshift.com wrote: | >> | >>>Also, if you have access to the router, it's handy to re-write | >>>traffic from a higher public port down to port 22 on the server, | >>>since that will trip up anyone doing scans looking for a connect on | >>>port 22 across a large number of IP's. | >>> | >> | >>No. That's security by obscurity and doesn't make your system even a wee | >>bit more secure. | > | > | > It depends what you are guarding against. If someone wants to get into | > _your_ system then it's worthless. OTOH, "you don't have to run faster | > than the bear, just faster than someone else": Moving your ssh access | > off port 22 means that someone doing a network scan of port 22 won't | > see your system. This is reasonable protection against script kiddies. | > | Where is the protection, or rather the danger in being "visible" to | script kiddis? There's no security issue valid for script kiddis which | wouldn't be valid for any other attacker too. | The main question is: Where is the danger in script kiddies with their | brute force attacks? | I guess it's mainly the annoying fact that your logfile get's | unreadable. If that's the problem: use logsurfer or something similar to | analyze the logfile. | You just don't get more secure by moving the sshd to a different port | than port 22. The point isn't to get more secure. You are correct by saying that moving the port # doesn't make anything more secure. But why make it easy for someone that might be doing a scan to find your SSH prompt during a scan that may be focused on ports 21, 22, 25, 80 and 110? Along these same lines, we used to even re-compile sshd and remove the welcome message/version number in the connect. I know there are two schools of thought on broadcasting your version numbers on connections, but in the mid 90's, we did do that from time to time. Anyway, to each their own :) Ray