Re: securing server
On Wednesday, 2008-05-07 at 12:47:37 +0200, Steve wrote:
> Le 07-05-2008, à 17:34:08 +0800, Abdul Bijur Vallarkodath (abdulbijur@gmail.com) a écrit :
> > just my two pence.
> and my two centimes.
> > * Change the ports of most ports like ssh, ftp, smtp, imap etc. from the
> > default ones to some other ones.
> >From my poor understanding of security related issues, I guess this is
> totally useless since any (good) port scanner will defeat this without
> any problem. Remember, security by obscurity is a bad idea.
"Security by Obscurity" refers to the attempt to protect a (usually
bad) crypto-algorithm by hiding it from review. This is called "Evasive
Maneuvers". The usual black hat scans will only look for services on
the standard ports as long as they find sufficient vulnerable machines
using those standard ports.
It will add a little security because the non-standard ports will only be
detected by an unsual scan, i.e. looking for SSH on ports 1..65535. This
takes so much longer than testing just port 22 that it will only be used
by somebody explicitly targeting the system in question.
Thus a whole class of attackers is eliminated. This means a
significantly smaller attack surface.
The more users a systems has, though, the more you will have that are
not capable of dealing with changed ports. Or who have software that
can't deal with changed ports...
Lupe Christoph
--
| The whole aim of practical politics is to keep the populace alarmed |
| (and hence clamorous to be led to safety) by menacing it with an |
| endless series of hobgoblins, all of them imaginary. |
| H. L. Mencken, "In Defense of Women", 1918 |
Reply to: