Re: Security basics

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2007-10-03 at 15:46 -0600, Karl Larsen wrote:
> Alan M. Evans wrote:
> > On Wed, 2007-10-03 at 15:40 -0500, Steve Siegfried wrote:
> >
> >   
> >> Changing ports for ssh isn't actually that hot of an idea.  Most port scanners
> >> can detect ssh implementations since they normally self-identify.  For example,
> >> if you're running ssh on the normal port (22), try executing:
> >> 	/usr/bin/telnet YOUR.HOST.IP.ADDR 22
> >> and see what pops out.
> >>     
> >
> > Of course. But most attacks aren't scanning every port on your machine
> > and trying to identify unknown services. Mostly they're just going for
> > the low-hanging fruit on the standard port numbers.
> >
> >
> >   
>     This whole line of reasoning is false.

Calm down, Karl. There's nothing at all false about my line of
reasoning, unless you claim that most attacks attempt all or most ports
an the target system searching for a login prompt.

In fact, they don't. If I were to move my SSH port to something
non-standard, say 37017, for example, I would see virtually *none* of
the login attacks that my system logs four or five times a day against
port 22.

> I don't care if Hacker, the 
> bad guy, gets on my computer with ssh. He then needs to come up with a 
> valid login name and password. If he fails at this in some set time it 
> all quits.

That's great, as long as SSH works as advertised, and nobody is lucky or
has inside information about your passwords. If the attack is exploiting
an unknown or unpatched flaw in SSH then you're out of luck.

We're talking here about layers of security. If an attack is directed at
one layer, the others are there to compensate.

>     Until you can convince me that my system is at risk from ssh when 
> using a real password I am going to sleep well.

I don't think anyone's trying to convince you of anything. Given your
history on this list, I doubt it possible anyway.

Keep your SSH and your "real password" and sleep like a baby. As for me,
I won't trust SSH alone. I employ other methods, including rsa keys,
special iptables rules, and SELinux, to enhance the security of my
system. (For the record, I run SSH on the standard port, despite the
fact that I claim it would enhance security further.)

Everyone has to decide for themselves what layers are too burdensome. It
would be a false line of reasoning to assume that your comfort lever is
sufficient for everyone else, and anything that you don't do is,
therefore, a waste of time.



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux