Re: sniffer/promisc detector

[Dave Israel <davei () algx net>]

On 1/20/2004 at 09:18:07 -0800, Alexei Roudnev said:
> > Uhm, that would be wrong.  This is simply "security through obscurity".
> Yes, it is wrong for the _smart books_. But it works in real life. Of
> course, it should not be the last line of defense; but it works as a first
> line very effectively.
>
> If I rate safety as a number (10 is the best, 0 is the worst):
> - unpatched sshd on port 22 - safety is zero (will be hacked by automated
> script in a few weeks)
> - patched sshd on port 22 - safety is 5 (even patched sshd have a bugs, and
> I do not know, what happen first - I patch next bug or hacker's script find
> this sshd and hack it)
> - unpatched sshd on port 30013 - safety is 7 (higher) because no one
> automated script can find it, and no one manual scan find it in reality
> - patched sshd on port 30013 - safety is 9
> - turn off power - safety is 10. Secure system, is a dark system.
>
> (I did not rated firewalls etc).

Actually, an automated script or manual scan can find it trivially.
All you have to do is a quick port scan, looking for this:

12:31 biohazard~>telnet [somewhere] [port]
Trying [ip_address]...
Connected to localhost.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.4p1c


Plus, if you put it on a non-standard port, you tend to use the same
one across the enterprise, so it is only really obscure once.  Moving
port numbers only protects you against idle vandalism; it is useless
against people who truly wish you harm.

You really need a firewall, particularly one that can detect a port
scan and shut off the scanner, for changing ports to have any real
security.  It is kind of like a 4-digit PIN being useless for a bank
card without the 3-try limit.

-Dave