Spike in SSH attacks
Benjamin Scott
dragonhawk at gmail.com
Mon Jun 21 12:25:58 EDT 2010
On Mon, Jun 21, 2010 at 11:05 AM, Chip Marshall <chip at 2bithacker.net> wrote:
> On 21-Jun-2010, Bill Sconce <sconce at in-spec-inc.com> sent:
>> START WITH NEVER EXPOSING SSHD ON PORT 22.
>
> http://en.wikipedia.org/wiki/Security_through_obscurity
>
> Personally, I think this is a flawed approach to securing a machine.
I put sshd on a non-standard port, but I don't depend on that for
security. I do it as a method of keeping a low profile. It cuts down
on log noise, if nothing else. It's also a counter-measure against
zero-day exploitation of SSH vulnerabilities. I don't see how that's
a bad thing.
Combined with a guarded port knocking scheme, it can be a fairly
effective counter-measure against wide-area automated scans.
The classic definition of "security by obscurity" is an element
which, once known, compromises security, and which cannot be easily
changed without changing the security design. For example, I believe
all Xerox copiers made in the past several years use the same "service
password" to access a diagnostic menu. There's no way to change it,
and the field service techs all depend on it being the same. *That's*
security by obscurity.
If my *only* method of defense was a non-standard SSH port, and I
was using weak passwords and never updated my software, then yes,
*that* would be a problem.
It's an aphorism in the security world that a car alarm doesn't
prevent a car thief from stealing your car. It just makes it easier
to steal the car parked next to yours.
> It only serves to encorage full port scans of machines, which wastes even
> more bandwidth.
If attackers are going to move to doing full port scans, they're
going to do that. They don't need or care about our encouragement.
They've got more resources available than us.
-- Ben
More information about the gnhlug-discuss
mailing list