On Thu, 2004-07-29 at 19:38, Jay D. Dyson wrote:
> That practice affords no security benefit. Any scanner worth its
> salt (no pun...really) can identify a service even if it's running on a
> non-standard port. Nessus does this, as do a host of other scanners.

I beg to differ. Yeah, Nessus and decent scanners will identify SSH on
other ports, but the script kiddies, "nmap -sS -p 22" type scans, and
any worms or automated attack tools will most likely miss it. I'm sure
you know about low-hanging fruit. I believe changing to a different port
is like hanging your fruit a bit higher. Let the masses reach for "the
other guys" SSH port instead...

Sure, that concept (changing ports, call it obfuscation if you must)
doesn't increase security of your host, but it alters the threat level
in your favor.

> For my own part, I set my firewall rulesets to default deny any IP
> that is not specifically blessed for interactive login. For example, I do
> not have any users who live in Asia, Europe, Canada, South America or
> Africa. Thus, those netblocks are not allowed to connect on 22/TCP.
> This helps limit the attack vectors while still allowing my users access
> to the systems they require.

This is certainly the best way to approach this. Blocking all by
default, and allowing only access to SSH from those networks where you
know you or your users are in.

The same should also be applied to any other type of VPN, being it IPSec
or PPTP or whatever. While authentication is required, there is still no
reason to expose the interface to the whole world. It would help
security greatly to default-block and allow VPN access from those areas
from which access is expected.

Cheers,
Frank

[ reply ]