Re: sniffer/promisc detector

[Niels Bakker <niels=nanog () bakker net>]

* davei () algx net (Dave Israel) [Tue 20 Jan 2004, 18:48 CET]:
> On 1/20/2004 at 09:18:07 -0800, Alexei Roudnev said:
[..]
> > - unpatched sshd on port 30013 - safety is 7 (higher) because no one
> > automated script can find it, and no one manual scan find it in reality
> Actually, an automated script or manual scan can find it trivially.
> All you have to do is a quick port scan, looking for this:
[..]

Indeed.  And Alexei's point is that noone is looking for that.


> one across the enterprise, so it is only really obscure once.  Moving
> port numbers only protects you against idle vandalism; it is useless
> against people who truly wish you harm.

Alexei's point also was that you need additional measures against those
people.


> You really need a firewall, particularly one that can detect a port
> scan and shut off the scanner, for changing ports to have any real
> security.  It is kind of like a 4-digit PIN being useless for a bank
> card without the 3-try limit.

Unless you like really, really sore fingers, and don't think a long line
of people waiting behind you at the ATM will attract any attention from
the bank employees.


        -- Niels.