sniffer/promisc detector
Ruben van der Leij
ruben-nanog at nutz.nl
Fri Jan 23 00:51:43 UTC 2004
+++ Jason Slagle [22/01/04 19:13 -0500]:
> > The point of the discussion was wether it made sense to run services on
> > non-standard ports to deter cr4x0rs. And I feel it doesn't.
> I've sat here and watched this discussion and kept my thoughts to myself
> because I'm thinking "Maybe I'm missing something", but I don't think I
> am.
> sshd exploit is known to the kiddies for 3 weeks before getting public.
The k1dd13 isn't able to feed a single packet to my exploitable sshd.
If I were to run that sshd on a non-standard port, and he wants my ass *and*
knows his way around with nmap or such I would gain between minutes and an
hour, as shown by others.
Thanks to paranoid iptables I would gain days, weeks, months or more,
depending on the luck he has with finding out which and 0wn1ng those boxes I
use to gain access to the box he wants to cr4x0r.
By the way: those boxes run other OSses on different architectures, just as
a precaution. Hosted by others. Different networks, different accountnames
and passwords. .bash_history linked to /dev/null, you know the works.
That hours delay won't save my ass, as it takes three weeks for others to
piece together the vulnerability. Those iptables *will* save my ass. More
often than a non-standard port, at least.
And now for running named on port 54 as a defense against buffer-overflows
in bind.. :P
--
Ruben van der Leij
More information about the NANOG
mailing list