RE: a record?

Church_Chuck · November 15, 2005, 5:52pm

Isn't it just good security practice to limit telnet/SSH access to only
a few choice hosts/subnets? I know I'd never allow the 0/0 net access
to a signon screen, even if it is SSH. If you're on vacation and need
to access something, call your NOC, and have them temporarily allow your
dynamic address for SSH. When a hacker finds an open SSH host, they
think two things - This host is important to someone, and that they need
more doughnuts...

Chuck

ianai · November 15, 2005, 7:02pm

That is an excellent idea. As soon as I hire a NOC for my personal boxes, I'll get right on that. But, since I Am Not An Isp, I doubt that is going to happen soon.

Remember, not every box on the Internet is supported by a whole network of resources (physical and human).

Alexei_Roudnev · November 19, 2005, 7:32pm

I said many times - just use non standard port. Number of hackerts who
discover this port wil decrease approx 10,000 times, to
almost 0 (number).

(Of course, except if you are a bank).

Other approach exists as well - SecureID on firewall. Login to firewall,
authenticate, and have dynamic access list which opens ssh for you (and
still keep ssh on port != 22).

Austin · November 20, 2005, 12:00am

Or OpenBSD with pf and authpf:

http://www.openbsd.org/faq/pf/authpf.html

Austin

Alexei Roudnev wrote:

Suresh_Ramasubramani · November 20, 2005, 3:02am

Or VPN in, or set up a tunnel of some sort. Have ssh available over
the tunneled interface. Yup, lots of options available.

Though, if you have a secure ssh and reasonable control of your
passwords it is probably safe to leave it at port 22 rather than
resorting to security by obscurity measures like running it on a
higher number port or (as at least one webhost does) running it on
443, with some kind of shim listening on that port, intercepting
requests to it and redirecting them to apache or sshd as appropriate.

Alexei_Roudnev · November 20, 2005, 6:36am

Security by obscurity eliminates all (100%) of this automated scans and
automated attacks. So, having SSH on port 63023 (for example) and seen
probes, you can be 100% sure that someone have SPECIFIC interest in your
site, and so you can spend time and investigate, what he is looking for (by,
for example, allowing to break into sandbox). It is impossible with port 22,
because 99.9% of this _attempts_ will be just _blind search attempts_, so
you will not be able to concentrate on _really dangerous_ specific interest
to your (because if I want to break into your site, and if I am serious,
then it is only matter of time when I succeed - for example, I can use
insiders, janitors, faked messages etc... so it is quite important of see
such attacks from beginning, in clear field, and to prevent them by
non-technical methods in addition to technical ones).

It is like 'NO TRESPASSING' sign on your private road - having this sign,
you can be (relatively) sure, that if you see intruder, he is (1) burglar,
(2) someone who lost in space and want to ask _where I am_, (3) FedEXP
delivery guy, but not just _strolling around one without any goal_. It is
first line selection, which is quite important because it decrease number of
events in thousands times.

Of course, this is only SIGN. Add good fence, rifle etc (castle, water
channel, draw bridge, knights -:)) if you have something which bad guys are
interested in. But post NO TRESPASSIGN first of all.

Suresh_Ramasubramani · November 20, 2005, 7:21am

When you put it that way, fair enough.

Sean_Donelan · November 20, 2005, 7:39am

This is just security by outrunning the bear. The assumption is bears
will stop chasing you if they catch a different hiker first.

Unfortunately, we now have decades of experience in cybersecurity that
this isn't true. It appears to work for a while, but on the Internet
bears are always hungry and learn. There are people actively scanning
for any open ports running any protocol, without a SPECIFIC interest in
your computer. SSH already has a No Trespassing banner.

You may just not have a big enough sample to see what is actually
happening.

Elmar_K_Bins · November 20, 2005, 11:17am

sean@donelan.com (Sean Donelan) wrote:

> Security by obscurity eliminates all (100%) of this automated scans and
> automated attacks. So, having SSH on port 63023 (for example) and seen
> probes, you can be 100% sure that someone have SPECIFIC interest in your

This is just security by outrunning the bear. The assumption is bears
will stop chasing you if they catch a different hiker first.

You're failing to catch the intention here.

Unfortunately, we now have decades of experience in cybersecurity that
this isn't true. It appears to work for a while, but on the Internet
bears are always hungry and learn. There are people actively scanning
for any open ports running any protocol, without a SPECIFIC interest in
your computer.

Funnily, I see many many more scanning attempts for the same port (or
handful of ports) across entire networks than the other way around.

And as stated before: If somebody scans 63023, he has interest in your
site and is worth the effort of doing something about it. That's the
whole point in changing the port.

Changing the port is not making the system more secure, it only filters
out passers-by.

Elmar.

ianai · November 20, 2005, 3:45pm

I'm going to repeat what Sean said, because you clearly didn't read what he said:

"There are people actively scanning for any open ports running any protocol, without a SPECIFIC interest in your computer."

Allow me to re-state again in slightly different language so you understand this time:

Changing your port may (will?) lower the number of automated scans you see hitting your daemon, but it will _NOT_ eliminate them. IOW: Just because someone is probing for an SSH daemon on 65K ports against your box does _NOT_ mean he has a specific interest in your box.

If you honestly believe that just 'cause someone tried "ssh -p 63xxx $YOUR.BOX" it means he is specifically targeting your box, well, that is your prerogative. You are almost certain to be wrong at least part of the time, though.

Alexei_Roudnev · November 20, 2005, 6:23pm

Are you sure? ?? statistics shows me opposite.

"There are people actively scanning for any open ports running any
protocol, without a SPECIFIC interest in your computer."

I mean - for ANY. Pretty easy to check - set up access liost with 'log' for
2 ports - port 22 and port 63023, and show us number of hits in 1 week.

My statistics shows 0 count on big non standard ports. Reason is simple -
full range scan is very slow, and have very low ratio of success, so it is
relatively useless.

Allow me to re-state again in slightly different language so you
understand this time:

Changing your port may (will?) lower the number of automated scans
you see hitting your daemon, but it will _NOT_ eliminate them. IOW:
Just because someone is probing for an SSH daemon on 65K ports
against your box does _NOT_ mean he has a specific interest in your box.

Probing - not; trying to guess password - 100% YES.
But probing rate is 0 , to my surprtise.

Yann_Berthier · November 20, 2005, 8:12pm

Amen. Now, without any consideration regarding security, obscurity or
   whatever, I'd say that having an sshd on port 443 somewhere is a good
   idea if you happen to use a gprs network where all except 'web' ports
   are filtered (orange.fr comes to mind - at least they used to do that
   when i was still living in france)

- yann

Elmar_K_Bins · November 20, 2005, 10:11pm

patrick@ianai.net (Patrick W. Gilmore) wrote:

I'm going to repeat what Sean said, because you clearly didn't read
what he said:

You're trying to be harsh, even though I don't understand why. I read
what you just rephrased, and I understood it fully, believe me. Let me
explain my lines of thought here.

I am fully aware of people scanning the full range of ports, but then,
it's a _WHOLE LOT_ less full-port-range scans than full-address-range
scans. You will see that in your logs, too.

If the guys have found an interesting machine, they will scan all ports,
sure, but then you _WANT TO DEAL_ with these guys. Whether it is because
they are interested in you, or whether it is because they found a box
worth cracking.

That of course leaves aside the few guys who really try full-port-range
scans on a lot of boxes or, accidentally, the ones I look over. I may
be wrong in assuming they are taking interest, but I take interest in
them and do something. It still is a lot less incidents to focus on.

Saving unnecessary work is all that this is about, not whether or not
I believe something (this being safer than that, that guy having a
specific interest in this, whatever).

Actually, I really don't care about people scanning closed or blocked
ports. Except for a few potential target addresses, that is. But of
course I am not doing this by reading server logfiles and wading
through folks trying dictionary attacks on just-found-to-exist ssh
ports. That's what firewall and ID systems are good at.

Most of the time I get interested when "they" get interested, or when
there's someone coming up, doing something more elaborate than running
one of the easy scripts. Apart from that, I am simply not interested,
because I have other work to do. And if I get rid of "dummy alerts" by
changing the port for a "generic login" service, so be it.

It's a tool to save work. You don't have to use it.

Elmar.

Suresh_Ramasubramani · November 21, 2005, 3:35am

In such a situation, you might find this project by my good friend
Nikhil Shankar interesting

It is rather old, and I haven't used it in a few years, but I'm
reasonably sure it still works just fine -
http://freshmeat.net/projects/smsterm/

Yann_Berthier · November 21, 2005, 12:35pm

Looks pretty cool. I usually use my gprs phone for dialup from my
laptop, but i'll give it a try.

Thanks,

- yann