Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SSH attacks?

From: mgotts () 2roads com
Date: Fri, 30 Jul 2004 17:06:24 -0700
If you are so worried about SSH security who don't you just run sshd 

on

a non-standard port.


   That practice affords no security benefit.  Any scanner worth its
salt (no pun...really) can identify a service even if it's running on a
non-standard port.  Nessus does this, as do a host of other scanners.


It certainly does afford a security benefit.

The issue isn't whether or not there are tools that can identify a service 
on a nonstandard port (as you note, such tools are readily available). The 
issue -- especially in this case -- is that such scanning of all 65535 
ports is not being done by the worms and other automated attack tools 
being discussed. These sorts of attacks are going after the low-hanging 
fruit, the easy exploit and, if a worm, frequently looking for rapid 
infection rates. Scanning every port doesn't provide enough benefit to the 
attacker to be useful, especially considering that you can argue that 
anybody who bothers to change the port probably is also at least minimally 
aware of security.

Is it *good* security? No. Will an attacker who is specifically trying to 
penetrate your network be stopped? Of course not. But will it prevent a 
worm from zapping you in a day-0 exploit and give you time to patch or 
disable the service? Yes.

Had you said "little security benefit", I'd agree. But to say "no security 
benefit" is just silly.

-- Mark
Previous By Date Next
Previous By Thread Next

Current thread: