Re: Some new SSH exploit script?

["Adam.Chesnutt" <icetre () digitalfreezer net>]

silentw wrote:
> > Running a service on a non-standard port yields zero increase in
> > security.  That was my point.
>
> I completely disagree for several reasons.
>
> There has been much talk about the number of connections on port 22.
> thousands of random connections that just waste your time. If you dont
> have a guessable password why do you care ? reasurces.

Yeah this is true.. But in effect it is minimal.
> 1) It wastes your resorces. If your logs arn't full of usless crap you
> have more time, more money, more hardware that you can better spend
> elseware on things that will actually help you.
Grep? The overall volume of logs is greater, but it's easy to parse 
hacktards out of your logs.
> 2) Security through obscurity is a legitimate part of defense in
> depth. (in this case) If you keep your services up to date, a
> non-standard port could save you from a 0day attack / worm / n00b.
> that is an increase in security.

Um, no

SSH is so easy to detect, that most automated tools would find it on a 
nonstandard port with minimal effort. However, nonstandard ports would 
most likely nail out worms, but 0-day owners have better sk1llz and 
t00lz, and n00bs wouldn't know what to do if your server was properly 
patched/secured anyways.
> It really (for me, anyway) comes down to reasources - if you can cut
> the junk in your logs by 90% just by changing a port, it is worth
> considering. Anyone who has working in a large environment will know
> exactly what I mean.

I've worked in several ISPs, and to tell you the truth, I'd much rather 
have easily greppable logs, that still contain the attempts. This falls 
under the paradigm of keeping your enemy close. I know who and what they 
are, and by correlating the attempts, I usually have a pretty good idea 
of the skill level I'm dealing with.

If you have a problem with an overwhelming amount of incoming security 
events, try correlation engines such as Neusecure or netForensics.

While I agree, it makes the logs more readable,  the cost is making your 
logs less effective at their job.

Really the solution here, is to have confidence in your security 
measures. Remember, 0-day is just the tip of the iceberg, don't forget 
about private exploits.  You have to remember, if someone wants to own 
you, you will be owned. There's always some oversight, there's always 
some attack vector. The whole point is raising the bar.

Changing the port number, is akin, to hiding the door, because your 
afraid of the lock installed in it. It only raises the bar to the 
special olympics level.

I believe in security in-depth, but this depth is so superficial, I 
really don't think it's worth it.

Firewall the port after 5 bad attempts, it's a trivial script to write.

Adam



------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------