From owner-freebsd-security@FreeBSD.ORG Tue Nov 22 18:27:03 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 80FDC16A459 for ; Tue, 22 Nov 2005 18:27:03 +0000 (GMT) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E49343D53 for ; Tue, 22 Nov 2005 18:26:58 +0000 (GMT) (envelope-from marquis@roble.com) Date: Tue, 22 Nov 2005 10:26:58 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: <20051122120112.9D83516A423@hub.freebsd.org> Message-ID: <20051122075050.I81101@roble.com> References: <20051122120112.9D83516A423@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2005 18:27:03 -0000 ray@redshift.com wrote: >The point isn't to get more secure. You are correct by saying that >moving the port # doesn't make anything more secure. Actually the point _is_ security and changing the port number _does_ improve it significantly though only from one popular attack vector. Security by obscurity _does_ work and often very well just not in place of more substantive measures. In the case of sshd dictionary attacks those would be: 1) setting "MaxAuthTries 2", "Banner /etc/issue" and "PermitRootLogin no" in /etc/ssh/sshd_config, 2) running an sshd IDS that A) tests for '(for invalid user|Failed password for)', B) blacholes source hosts 'ipfw add deny ...', and C) alerts sysadmin or operations personnel, 3) making sure SSL and SSH are up to date (preferably via ports), 4) deleting the rc script, adding sshd to /etc/inetd.conf, and taking advantage of the rate controls, logging, and other excellent security features of FreeBSD's inetd. Hosts that don't have at least these 4 protections in place will reduce their exposure by moving sshd to a port other than 22. Hosts that do implement these protections will still benefit from changing the port but can lose some excellent logging. If possible keep the logs and either send them to the offending ISP or add to a local list of long-term blackholes. Obscurity is an important and wholly necessary part of the security toolkit. Take passwords for example. Defining a non-dictionary password is security by obscurity. It is, however, weak protection if you do not also log dictionary attacks and blackhole offenders before they can try many username/password pairs. ATM PINs are even weaker than passwords but are nevertheless adequate protection thanks to the fact that ~3 failed passwords will cause the account to be locked. Bruce Schneier looks at more areas on where security by obscurity works and where it doesn't in the May 2002 CRYPTO-GRAM . -- Roger Marquis Roble Systems Consulting http://www.roble.com/