On Sat, Jul 31, 2004 at 12:02:38AM -0400, Jorge Fábregas wrote: > On Friday 30 July 2004 6:36 pm, Sam Varshavchik wrote: > > There are more than sixty thousand other ports to choose from. Pick one, > > and have portsentry bitch-slap anyone poking your port 22. > I totally agree. That's "Security WITH obscurity" which is not the same as > "Security THRU obscurity". I don't even run ssh on IPv4 any more. I run it on IPv6 only, which is available anywhere IPv4 is (and a few places / times where you can't even GET IPv4). Hell, sixty five thousand ports. Penny anty. Trivial to scan for if someone really wanted it. Find it amongst 16 billion billion possible host addresses on a single IPv6 subnet (and there are 65,536 subnets to each IPv6 net and each IPv4 address has an entire IPv6 net already assigned to it and there is NO broadcast address) now THERE'S a challenge, even if you knew the subnet to look on! As a side note... My exposed servers change their IPv6 address they are listening on for ssh every 15 minutes. No problem with DNS dynamic updates and deprecating addresses over twice the TTL (and you can't delete an address that's "in use" IAC). Now try scanning for THAT in 65,536 * 4 billion * 4 billion and catch it in the 15 minute window before it jumps behind your scan. > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list Mike -- Michael H. Warfield | (770) 985-6132 | mhw@xxxxxxxxxxxx /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Attachment:
pgp5Grre8zKDE.pgp
Description: PGP signature
