The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Newer Topic  |  Older Topic 
 Security through obscurity.
Author: alive 
Date:   31-01-07 17:06

Putting sshd on a "higher port" is security through obscurity.

Brute-force bots try a limited set of usernames, and should therefore in practice not be feared by a sensible admin.

Through this, we can conclude that if someone actually, really, wanted to break in to *your* server, changing the port of your sshd is not going to hinder them one least bit. The first thing a hacker ever does to a server is to probe for open ports using nmap.

However, I do believe that only allowing ssh key logins is a good part of the solution: Passwords are insecure.

For everybody else, I would suggest to either disable password authentication on their sshd, or download DenyHosts (It's in the ports, and on denyhosts.sf.net)

Reply To This Message
 
 Re: Security through obscurity.
Author: Dan 
Date:   31-01-07 17:25

alive wrote:

> Putting sshd on a "higher port" is security through obscurity.

You say that as if it is a bad thing.

> Brute-force bots try a limited set of usernames, and should
> therefore in practice not be feared by a sensible admin.
>
> Through this, we can conclude that if someone actually, really,
> wanted to break in to *your* server, changing the port of your
> sshd is not going to hinder them one least bit. The first thing
> a hacker ever does to a server is to probe for open ports using
> nmap.

None of which I contradict.

ssh on port 22 is tightly restricted with respect to who can talk to it. ssh on the other port is not. Anyone can talk to it. By moving it to another port, the number of door-knockers has dropped considerably.

This isn't to stop or deter the determined. It is to get rid of the script kiddies.

> However, I do believe that only allowing ssh key logins is a
> good part of the solution: Passwords are insecure.

Gee, thanks! I'm glad I wasn't wasting my time. ;)

> For everybody else, I would suggest to either disable password
> authentication on their sshd, or download DenyHosts (It's in
> the ports, and on denyhosts.sf.net)

I would welcome an article from you on DenyHosts.

--
Webmaster

Reply To This Message
 
 Re: Security through obscurity.
Author: alive 
Date:   31-01-07 17:34

Dan wrote:

> alive wrote:
>
> > Putting sshd on a "higher port" is security through
> obscurity.
>
> You say that as if it is a bad thing.
Well, yes, I do indeed believe that security through obscurity is a bad thing, as it unwillingly "relaxes" a person, either we want it or not, into thinking that the obscurity-hack has somehow helped an issue of security, when in fact it hasn't.
>
> > Brute-force bots try a limited set of usernames, and should
> > therefore in practice not be feared by a sensible admin.
> >
> > Through this, we can conclude that if someone actually,
> really,
> > wanted to break in to *your* server, changing the port of
> your
> > sshd is not going to hinder them one least bit. The first
> thing
> > a hacker ever does to a server is to probe for open ports
> using
> > nmap.
>
> None of which I contradict.
>
> ssh on port 22 is tightly restricted with respect to who can
> talk to it. ssh on the other port is not. Anyone can talk to
> it. By moving it to another port, the number of door-knockers
> has dropped considerably.
>
> This isn't to stop or deter the determined. It is to get rid
> of the script kiddies.
>
> > However, I do believe that only allowing ssh key logins is a
> > good part of the solution: Passwords are insecure.
>
> Gee, thanks! I'm glad I wasn't wasting my time. ;)
I apologize if my previous post came of as if I was criticizing your article, because it wasn't. The only reason I commented it is because articles about security make me feel warm and fuzzy inside :)
>
> > For everybody else, I would suggest to either disable
> password
> > authentication on their sshd, or download DenyHosts (It's in
> > the ports, and on denyhosts.sf.net)
>
> I would welcome an article from you on DenyHosts.
I think I might just do that, then :)

Reply To This Message
 
 Re: Security through obscurity.
Author: Dan 
Date:   31-01-07 17:48

alive wrote:

> Dan wrote:
>
> > alive wrote:
> >
> > > Putting sshd on a "higher port" is security through
> > obscurity.
> >
> > You say that as if it is a bad thing.
>
> Well, yes, I do indeed believe that security through obscurity
> is a bad thing, as it unwillingly "relaxes" a person, either we
> want it or not, into thinking that the obscurity-hack has
> somehow helped an issue of security, when in fact it hasn't.

My point of putting sshd on a higher port was for my convenience. ssh is still running on the lower port, but strongly filtered.

The sshd on the higher port REQUIRES a key-based login. The lower one does not. AFAIK, it is not possible to do both with a single instance of the ssh daemon.

I'm not quite sure yet where I am attempting to obscure things.

--
Webmaster

Reply To This Message
 
 Re: Security through obscurity.
Author: alive 
Date:   12-10-07 05:33

Hi Dan,
I've finally written the article.
http://nixy.dk/2007/10/12/denyhosts-on-freebsd-62/

Reply To This Message
 
 Re: Security through obscurity.
Author: Dan 
Date:   12-10-07 09:17

Thanks.

I suggest submitting a story to http://bsdnews.com

--
Webmaster

Reply To This Message
 Forum List  |  Threaded View   Newer Topic  |  Older Topic 


 Forum List  |  Need a Login? Register Here 
 User Login
 User Name:
 Password:
 Remember my login:
   
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum

phorum.org