Full Disclosure mailing list archives
Re: OpenSSH is a good choice?
From: Ben Hawkes <ben.hawkes () paradise net nz>
Date: Fri, 24 Dec 2004 18:19:34 +1300
On Thu, Dec 23, 2004 at 12:43:31AM -0600, Ron DuFresne wrote:
My thoughts on this have centered on the point that there are too many decent scanning and banner grabbing tools out there to make botuse port assingments off the default any much good at obscuring the service. We are lucky in that most the coded sploits and POCs tend to be cheap in that they tend to look for specifics in a very narrowly focused tunnel. The potentials for something being crafted that is much more insidiously inventive in determing attack vectors that might be non-norm are there. And beaucse they remain at this time 'potential' should not be a reason or rationale to try and place minimally effective or incomplete controls in the security layers one uses. The IT community has been repeatedly bitten by doing less then they know better to do due to the potential of something not yet unleashed, say 1988 for example.
There needs to be some differentiation between worms and exploits here. In the case of a single attacker specifically targeting a machine, then yes, I agree that a non-standard port configuration is not going to help due to such "insidiously inventive" tools as nmap and its -sV. However a non-standard port does help in the general case when it comes to a worm. The reason that we have not seen a worm search for non-standard configurations is not so much a lack of ingenuity by the authors, but more of a realisation that the time spent on scanning each target is better spent looking for other potentially vulnerable hosts with a standard port configuration. That is to say, searching each potential host for non-standard ports is inefficient and would likely inhibit the spread of such a worm. I don't have any figures to support this claim, but its hard to imagine the percentage of non-standard port configurations for any service on the internet being high enough to be an attractive target for a worm. In the end, running a service on a non-standard port at this point in time is a useful part of a layered security approach, if only to inhibit worms. -- Ben Hawkes pie.sf.net (fiver) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- OpenSSH is a good choice? Carlos de Oliveira (Dec 20)
- Re: OpenSSH is a good choice? Andrew Farmer (Dec 20)
- Message not available
- Re: OpenSSH is a good choice? Carlos de Oliveira (Dec 21)
- Re: OpenSSH is a good choice? hutuworm (Dec 21)
- RE: OpenSSH is a good choice? ALD, Aditya, Aditya Lalit Deshmukh (Dec 21)
- RE: OpenSSH is a good choice? Ron DuFresne (Dec 21)
- Re: OpenSSH is a good choice? Willem Koenings (Dec 21)
- Re: OpenSSH is a good choice? Ron DuFresne (Dec 22)
- Re: OpenSSH is a good choice? Willem Koenings (Dec 23)
- Re: OpenSSH is a good choice? Ron DuFresne (Dec 23)
- Re: OpenSSH is a good choice? Ben Hawkes (Dec 24)
- Re: OpenSSH is a good choice? Willem Koenings (Dec 24)
- Re: OpenSSH is a good choice? Ron DuFresne (Dec 25)
- Re: OpenSSH is a good choice? Kevin (Dec 25)
- Re: OpenSSH is a good choice? Ron DuFresne (Dec 27)
- Re: OpenSSH is a good choice? Stian Øvrevåge (Dec 24)
- Re: OpenSSH is a good choice? dk (Dec 24)
- <Possible follow-ups>
- RE: OpenSSH is a good choice? Todd Towles (Dec 23)