On Thu, 2005-12-15 at 16:51, Dotan Cohen wrote: > On 12/15/05, Scot L. Harris <webid@xxxxxxxxxx> wrote: > > What it is good for however is keeping the vast majority of script > > kiddies from littering your log files with junk. This may be more > > useful for ssh ports than httpd ports. > > I know that this won't save the system from a determined hacker, but > thankfully I haven't been attacked by one yet. I do get a nice long > daily log report though: > Those are most likely script kiddies shotgunning systems for weak passwords. > > You mention that this is not so important for http as it is with ssh. > Is this because apache is harder to compromise, or because if it is > compromised it is less dangereous? Most of the 'attacks' I get in my > apache log files are windows exploits. I just went looking for them in > my apache log files, but now I don't see them! They were looking for > files in "C://WINDOWS/SYSTEM32/" folder or something like that. > Strange. I said it is probably more useful for ssh than httpd since there seems to be a larger number of people scanning for ssh. And usually ssh is used by the admin or a limited number of people who can be told which port to use. A web site using a different port is difficult for most users to find. If the web page is foor limited users then it will be easier to pass along which port to use. But for general use it would effectively hide your site from the casual web user. As you also point out most of the scans for web pages are looking for IIS exploits or frontpage exploits. Apache has had a few exploits as well. And if you are running things like phpnuke or similar CMS tools you could be at risk as well. Unpatched awstats or webalizer packages can also leave holes. IMHO any compromise is dangerous.
