From owner-freebsd-security@FreeBSD.ORG Mon Nov 21 16:35:23 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A195216A41F for ; Mon, 21 Nov 2005 16:35:23 +0000 (GMT) (envelope-from dtalk-ml@prairienet.org) Received: from flyingjoke.org (soggy88.drizzle.com [216.162.199.88]) by mx1.FreeBSD.org (Postfix) with SMTP id 808F743D66 for ; Mon, 21 Nov 2005 16:35:15 +0000 (GMT) (envelope-from dtalk-ml@prairienet.org) Received: (qmail 15702 invoked from network); 21 Nov 2005 16:35:29 -0000 Received: from atlantis.flyingjoke.org (192.168.1.8) by atlantis.flyingjoke.org with SMTP; 21 Nov 2005 16:35:29 -0000 Date: Mon, 21 Nov 2005 08:35:09 -0800 (PST) From: dtalk-ml@prairienet.org X-X-Sender: dtalk@atlantis.flyingjoke.org To: Danny Carroll In-Reply-To: <00dd01c5eea4$1bb178b0$6501a8c0@llama> Message-ID: References: <3.0.1.32.20051117232057.00a96750@pop.redshift.com><43818643.5000206@kernel32.de><20051121085221.GA4267@cirb503493.alcatel.com.au><43819049.5090107@kernel32.de><20051121122621.GA5197@obiwan.tataz.chchile.org> <4381C81C.4080907@kernel32.de> <00dd01c5eea4$1bb178b0$6501a8c0@llama> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Peter Jeremy , ray@redshift.com, Jeremie Le Hen , Marian Hettwer , freebsd-security@freebsd.org Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dtalk-ml@prairienet.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 16:35:23 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Danny Carroll wrote: > But sshd can be moved without problem. It's not a cost-free solution, because there are support consequences. Users don't like change. Fortunately for us, we control their client configurations, so it's invisible to them. >> I just have the strong feeling that moving a daemon to another port >> (where it doesn't belong) won't gain any security. On 22, I used to get many, sometimes many thousands, of brute force password attempts per day. After moving to a higher port, I get zero. Mathematics tells me that makes it less likely that one of my user accounts will get whacked. It also raises the signal to noise ratio and storage requirements of my logs dramatically. I'm sure no one here thinks obscurity is a substitute for proper configuration of good quality software. Nevertheless, real world experience shows quite clearly that the odds of an expensive compromise go down when I'm a little harder to find. The fact that this does nothing to slow down a targeted attack does not diminish the value of evading the entire population of drive-by bots. - -d - -- David Talkington dtalk-ml@prairienet.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDgfdQ5FKhdwBLj4sRApC2AKCQNAd1lpHSukrwtolbKtLplhQGrwCgpSuU xPnXD1Q2UTykKv2pCJHKE9I= =C79J -----END PGP SIGNATURE-----