sniffer/promisc detector
Dave Israel
davei at algx.net
Tue Jan 20 17:46:47 UTC 2004
On 1/20/2004 at 09:18:07 -0800, Alexei Roudnev said:
>
>
> >
> > Uhm, that would be wrong. This is simply "security through obscurity".
> Yes, it is wrong for the _smart books_. But it works in real life. Of
> course, it should not be the last line of defense; but it works as a first
> line very effectively.
>
> If I rate safety as a number (10 is the best, 0 is the worst):
> - unpatched sshd on port 22 - safety is zero (will be hacked by automated
> script in a few weeks)
> - patched sshd on port 22 - safety is 5 (even patched sshd have a bugs, and
> I do not know, what happen first - I patch next bug or hacker's script find
> this sshd and hack it)
> - unpatched sshd on port 30013 - safety is 7 (higher) because no one
> automated script can find it, and no one manual scan find it in reality
> - patched sshd on port 30013 - safety is 9
> - turn off power - safety is 10. Secure system, is a dark system.
>
> (I did not rated firewalls etc).
Actually, an automated script or manual scan can find it trivially.
All you have to do is a quick port scan, looking for this:
12:31 biohazard~>telnet [somewhere] [port]
Trying [ip_address]...
Connected to localhost.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.4p1c
Plus, if you put it on a non-standard port, you tend to use the same
one across the enterprise, so it is only really obscure once. Moving
port numbers only protects you against idle vandalism; it is useless
against people who truly wish you harm.
You really need a firewall, particularly one that can detect a port
scan and shut off the scanner, for changing ports to have any real
security. It is kind of like a 4-digit PIN being useless for a bank
card without the 3-try limit.
-Dave
More information about the NANOG
mailing list