> >
> > (I did not rated firewalls etc).
>
> Actually, an automated script or manual scan can find it trivially.
> All you have to do is a quick port scan, looking for this:
We can make an experiment:
- I put such system (with ssh) on /26 network;
- you scan it, find and report me time and bandwidth, used for this scan

Do not forget - 1 host have 65,000 ports, and if I want to mislead you, I'll
create 1,000 false sshd and 1 real sshd...

65000 ports means - approx 100,000 packets to scan... (in most cases, good
firewall do not send negative response).
Even if you send 1,000 packets / second (which is impossible on Internet),
you wil spend 1 - 2 minute just to scan all ports (in our tests, it took 2 -
10 minutes on the LAN, depending of the tool, and armed all existing IDS
systems), 2 minutes x 200 hosts == 6 hours. 2 - 6 hours to scan /24 network
(just to scan all portss, without getting response).

In real life, you can make some tricks, but the truth is that no any _full
range_ port scans was detected on the Internet during 1 year (I had not more
statistics). No one worm or virus was able to detect any non standard port.
No one hacked host (with hackers tools installed), which I investigated, had
any script, doing such scan.

So, it is very good line 1 of defense. Just decreasing intensity of possible
attacks 10 - 1000 times, and (again) for 0 cost. This does not eliminate
possible attacks, of course. And I do not recommend it as _the only_
defense. But it is _effective_ precaution - do not use standard ports, if
you can use nonstandard ones.


>
> 12:31 biohazard~>telnet [somewhere] [port]
> Trying [ip_address]...
> Connected to localhost.
> Escape character is '^]'.
> SSH-1.99-OpenSSH_3.4p1c
>
>
> Plus, if you put it on a non-standard port, you tend to use the same
> one across the enterprise, so it is only really obscure once.  Moving
> port numbers only protects you against idle vandalism; it is useless
> against people who truly wish you harm.

Those people make a simpler trick - pretend to be a janiator -:). They will
not scan your network. Just again - this defelse is against any automated
tools. 99.99% harm in the last attacks was made by automated tools.

PS. We used simple schema to correlate _IP_ and _port_ (it was 6 years ago).
So, it was not the same port. Then, if you have sshd opened, it will be 1 -
2 sshd for the whole enterprise - no problem with port number.

List of services is wide - qpopper, sshd, cvs server - all was hacked by
automated tools during last few years. I know a real cases for sshd and
qpopper. In all cases, non standard port could prevent intrusion.
>
> You really need a firewall, particularly one that can detect a port
> scan and shut off the scanner, for changing ports to have any real
> security.  It is kind of like a 4-digit PIN being useless for a bank
> card without the 3-try limit.
Yes, but firewall + non-standard port allows to see a scan in a very good
advance; firewall + standard port allows undetected scan (use slow scan,no
problems to scan all :22 ports for /16 network... much faster than to scan
all ports for /24 network...

Firewall + sshd on port 22 is worst, than no firewall and sshd on port 7765
(if no any other ports are opened). Firewall can not do much with ssl and
ssh protocols, except if it terminates this protocols itself (which is the
safest case).

PS. Some automated responses make DOS attack easy, using this automated
response. Just immitate an attack from address A - and firewalll wil block A
instead of you... what a surprise... So, such tools are very sharp - for
both, bad guys and good guys.

>
> -Dave