On 12/15/05, Scot L. Harris <webid@xxxxxxxxxx> wrote:
> On Wed, 2005-12-14 at 19:54, Cameron Simpson wrote:
> > What nobody has mentioned is that this buys next to no security. A port
> > scan will find your service regardless of the port.
> >
> > Also, changing the port number can make your service hard to reach for
> > legitimate users; for example from inside my workplace the prxoy would
> > not permit me to reach a web site served on port 666.
> >
> > Moving port numbers around is usually pointless. Not always, just usually.
>
> This was discussed at length in several recent threads.
>
> But you are correct, at best this is security by obscurity. And any
> determined hacker will run a full port scan and find the port anyway.
>
> What it is good for however is keeping the vast majority of script
> kiddies from littering your log files with junk. This may be more
> useful for ssh ports than httpd ports.
>
> Plus the OP asked how and he was provided with the answer. :)
>
I know that this won't save the system from a determined hacker, but
thankfully I haven't been attacked by one yet. I do get a nice long
daily log report though:
And I am constantly being tried on sshd:
Authentication Failures:
unknown (63.211.110.142): 853 Time(s)
root (63.211.110.142): 129 Time(s)
unknown (202.129.48.100): 100 Time(s)
root (202.129.48.100): 17 Time(s)
mail (63.211.110.142): 7 Time(s)
unknown (203.246.75.16): 6 Time(s)
root (203.246.75.16): 5 Time(s)
mysql (63.211.110.142): 3 Time(s)
mysql (202.129.48.100): 2 Time(s)
sshd (63.211.110.142): 2 Time(s)
adm (202.129.48.100): 1 Time(s)
adm (63.211.110.142): 1 Time(s)
apache (202.129.48.100): 1 Time(s)
apache (63.211.110.142): 1 Time(s)
ftp (202.129.48.100): 1 Time(s)
ftp (63.211.110.142): 1 Time(s)
games (202.129.48.100): 1 Time(s)
games (63.211.110.142): 1 Time(s)
gopher (63.211.110.142): 1 Time(s)
mail (202.129.48.100): 1 Time(s)
news (202.129.48.100): 1 Time(s)
news (63.211.110.142): 1 Time(s)
nobody (202.129.48.100): 1 Time(s)
nobody (203.246.75.16): 1 Time(s)
nobody (63.211.110.142): 1 Time(s)
operator (202.129.48.100): 1 Time(s)
operator (63.211.110.142): 1 Time(s)
rpm (202.129.48.100): 1 Time(s)
rpm (63.211.110.142): 1 Time(s)
sshd (202.129.48.100): 1 Time(s)
Invalid Users:
Unknown Account: 959 Time(s)
You mention that this is not so important for http as it is with ssh.
Is this because apache is harder to compromise, or because if it is
compromised it is less dangereous? Most of the 'attacks' I get in my
apache log files are windows exploits. I just went looking for them in
my apache log files, but now I don't see them! They were looking for
files in "C://WINDOWS/SYSTEM32/" folder or something like that.
Strange.
Dotan
http://technology-sleuth.com/long_answer/why_are_internet_greeting_cards_dangerous.html
=
