From: "Patrick W. Gilmore" <patrick@ianai.net> Subject: Re: a record? Date: Sun, 20 Nov 2005 10:45:21 -0500
On Nov 20, 2005, at 6:17 AM, Elmar K. Bins wrote:
Unfortunately, we now have decades of experience in cybersecurity that this isn't true. It appears to work for a while, but on the Internet bears are always hungry and learn. There are people actively scanning for any open ports running any protocol, without a SPECIFIC interest in your computer.
Funnily, I see many many more scanning attempts for the same port (or handful of ports) across entire networks than the other way around.
And as stated before: If somebody scans 63023, he has interest in your site and is worth the effort of doing something about it. That's the whole point in changing the port.
Changing the port is not making the system more secure, it only filters out passers-by.
I'm going to repeat what Sean said, because you clearly didn't read what he said:
"There are people actively scanning for any open ports running any protocol, without a SPECIFIC interest in your computer."
Allow me to re-state again in slightly different language so you understand this time:
Changing your port may (will?) lower the number of automated scans you see hitting your daemon, but it will _NOT_ eliminate them.
You know, you and he are "having an agreement", in large part. He *expressly*disclaimed* any increase in security. that his approach *only* eliminated the casual 'passers-by'.
IOW: Just because someone is probing for an SSH daemon on 65K ports against your box does _NOT_ mean he has a specific interest in your box.
A sweep across all ports on each box, for a specific protocol, is orders of magnitude slower than scanning only the (be it a single one or a handful) 'well known' ports for that service. A scan-all-ports search can only check 16 machines in the time a single-port scan can check _over_a_milliion_ machines. The scan-all-ports searcher is clearly more interested in finding an exploit on "one of a relatively small number of boxes" than he is in 'finding an exploitable box, "somewhere"'. He is concentrating his attack efforts on a _comparatively_small_ range of addresses, rather than on a broad-based 'opportunistic' search. And he has a 'reason' for doing that. It may well *NOT* be "because of who the boxes belong to", nor "what 'interesting' data can be found on them" -- it may simmply be that they're on a 'fat pipe' connection. or 'who knows what.'
If you honestly believe that just 'cause someone tried "ssh -p 63xxx $YOUR.BOX" it means he is specifically targeting your box, well, that is your prerogative. You are almost certain to be wrong at least part of the time, though.
The guy who does that _is_ "more worrisome" than the 'casual door knocker' on 'port 22'. Whether or not he's after me _in_particular_, I don't really care. He is mounting a 'more determined' attack against my resources, than the average clown. *AS*SUCH*, the 'wise man' takes faster, and more aggressive, defensive actions when this type shows his face. He is considerably more determined, and quite probably somewhat more skilfull, than the 'typical' doorknob rattler. This is true, whether or not he's deliberately going after _me_. <grin> Lastly, by setting things up such that you don't have to examine all the port 22 doorknob rattling to see if there's any thing 'more determined' going on -- that 'noise reduction' makes the serious attempts *much* more visible. "Security by obscurity" is _not_ a complete solution, in-and-of itself, no question. However, it _can_ be a big 'first step' to help in weeding out the 'casual' stuff from the more determined attempts.
participants (1)
-
Robert Bonomi