nanog mailing list archives
Re: sniffer/promisc detector
From: "Alexei Roudnev" <alex () relcom net>
Date: Tue, 20 Jan 2004 09:18:07 -0800
Uhm, that would be wrong. This is simply "security through obscurity".
Yes, it is wrong for the _smart books_. But it works in real life. Of course, it should not be the last line of defense; but it works as a first line very effectively. If I rate safety as a number (10 is the best, 0 is the worst): - unpatched sshd on port 22 - safety is zero (will be hacked by automated script in a few weeks) - patched sshd on port 22 - safety is 5 (even patched sshd have a bugs, and I do not know, what happen first - I patch next bug or hacker's script find this sshd and hack it) - unpatched sshd on port 30013 - safety is 7 (higher) because no one automated script can find it, and no one manual scan find it in reality - patched sshd on port 30013 - safety is 9 - turn off power - safety is 10. Secure system, is a dark system. (I did not rated firewalls etc).
Go grab nessus (www.nessus.org), modify the code a bit, and I guarantee
you Yes, correct. Do it. Measure scan time, and you will be surprised. Open old logs, and you will found, that such things are not used, they are absolutely not effective for any wide scanning. And they are very easy to detect by IDS systems (it is useless to detect port 22 scan - every hacker is doing it). Scan 65000 ports by T1 link, using 'nessus', and see the time and traffic. It can be used by insider on 100,000 Mbit network only, and (just again) such scan will be 100% catched by any IDS.
that your ssh daemon running on a non-standard port can still be found, identified, and exploited. Trivial.
Can != WILL. It WILL NOT. And it is FIRST line of defense. But this line decreases attacks level at 10,000 times, And it costs 0 (zero). Do not read _smart books_ without some thinking. (There are many cases, where it is impossible. But if it is possible, use it). Second line of defense is patched system, host IDS etc etc - standard security. It shuld not be the first line. And it should not be the last line. Last line of defense is HoneyPot. PS. I worked as a RU-CERT expert, make a traps, found and told with hackers, investigated many cases, so I have some background. And, of course, I know _smart books theory_.
-b
Current thread:
- Re: sniffer/promisc detector, (continued)
- Re: sniffer/promisc detector Rubens Kuhl Jr. (Jan 16)
- Re: sniffer/promisc detector Alexei Roudnev (Jan 17)
- Re: sniffer/promisc detector haesu (Jan 17)
- Re: sniffer/promisc detector Valdis . Kletnieks (Jan 17)
- Re: sniffer/promisc detector Alexei Roudnev (Jan 17)
- Re: sniffer/promisc detector Vadim Antonov (Jan 19)
- Re: sniffer/promisc detector Paul Vixie (Jan 19)
- Re: sniffer/promisc detector Alexei Roudnev (Jan 19)
- Re: sniffer/promisc detector Brett Watson (Jan 19)
- Re: sniffer/promisc detector Valdis . Kletnieks (Jan 19)
- Re: sniffer/promisc detector Alexei Roudnev (Jan 20)
- Re: sniffer/promisc detector Dave Israel (Jan 20)
- Re: sniffer/promisc detector Niels Bakker (Jan 20)
- Re: sniffer/promisc detector Alexei Roudnev (Jan 21)
- Re: sniffer/promisc detector Steven M. Bellovin (Jan 20)
- Re: sniffer/promisc detector Alexei Roudnev (Jan 17)
- Re: sniffer/promisc detector Rubens Kuhl Jr. (Jan 16)
- Re: sniffer/promisc detector haesu (Jan 20)
- RE: sniffer/promisc detector Henry Linneweh (Jan 20)
- Re: sniffer/promisc detector Ruben van der Leij (Jan 21)