Penetration Testing mailing list archives
Re: Some new SSH exploit script?
From: "Adam.Chesnutt" <icetre () digitalfreezer net>
Date: Wed, 07 Jun 2006 10:57:22 -0400
silentw wrote:
Running a service on a non-standard port yields zero increase in security. That was my point.I completely disagree for several reasons. There has been much talk about the number of connections on port 22. thousands of random connections that just waste your time. If you dont have a guessable password why do you care ? reasurces.
Yeah this is true.. But in effect it is minimal.
Grep? The overall volume of logs is greater, but it's easy to parse hacktards out of your logs.1) It wastes your resorces. If your logs arn't full of usless crap you have more time, more money, more hardware that you can better spend elseware on things that will actually help you.
2) Security through obscurity is a legitimate part of defense in depth. (in this case) If you keep your services up to date, a non-standard port could save you from a 0day attack / worm / n00b. that is an increase in security.
Um, noSSH is so easy to detect, that most automated tools would find it on a nonstandard port with minimal effort. However, nonstandard ports would most likely nail out worms, but 0-day owners have better sk1llz and t00lz, and n00bs wouldn't know what to do if your server was properly patched/secured anyways.
It really (for me, anyway) comes down to reasources - if you can cut the junk in your logs by 90% just by changing a port, it is worth considering. Anyone who has working in a large environment will know exactly what I mean.
I've worked in several ISPs, and to tell you the truth, I'd much rather have easily greppable logs, that still contain the attempts. This falls under the paradigm of keeping your enemy close. I know who and what they are, and by correlating the attempts, I usually have a pretty good idea of the skill level I'm dealing with.
If you have a problem with an overwhelming amount of incoming security events, try correlation engines such as Neusecure or netForensics.
While I agree, it makes the logs more readable, the cost is making your logs less effective at their job.
Really the solution here, is to have confidence in your security measures. Remember, 0-day is just the tip of the iceberg, don't forget about private exploits. You have to remember, if someone wants to own you, you will be owned. There's always some oversight, there's always some attack vector. The whole point is raising the bar.
Changing the port number, is akin, to hiding the door, because your afraid of the lock installed in it. It only raises the bar to the special olympics level.
I believe in security in-depth, but this depth is so superficial, I really don't think it's worth it.
Firewall the port after 5 bad attempts, it's a trivial script to write. Adam ------------------------------------------------------------------------------ This List Sponsored by: CenzicConcerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------
Current thread:
- Re: Re: Some new SSH exploit script?, (continued)
- Re: Re: Some new SSH exploit script? anony (Jun 04)
- Re: Re: Some new SSH exploit script? Jarrod Frates (Jun 05)
- Re: Some new SSH exploit script? Adam.Chesnutt (Jun 07)
- Re: Re: Some new SSH exploit script? Jarrod Frates (Jun 05)
- Re: Some new SSH exploit script? Jurriaans, Marco (Jun 05)
- RE: Some new SSH exploit script? Michael Sierchio (Jun 06)
- Re: Some new SSH exploit script? Larry Offley (Jun 06)
- Re: Some new SSH exploit script? Adam.Chesnutt (Jun 07)
- Re: Some new SSH exploit script? Robert E. Lee (Jun 08)
- Re: Some new SSH exploit script? Adam.Chesnutt (Jun 09)
- Re: Some new SSH exploit script? Larry Offley (Jun 06)
- Re: Some new SSH exploit script? silentw (Jun 07)
- Re: Some new SSH exploit script? Adam.Chesnutt (Jun 07)
- Re: Some new SSH exploit script? Thor (Hammer of God) (Jun 07)
- Re: Some new SSH exploit script? Steve Smith (Jun 08)
- Re: Some new SSH exploit script? Pete Fuggle (Jun 08)
- Re: Some new SSH exploit script? R. DuFresne (Jun 08)
- Re: Some new SSH exploit script? Paul Robertson (Jun 09)
- Re: Some new SSH exploit script? R. DuFresne (Jun 09)
- Re: Re: Some new SSH exploit script? anony (Jun 04)
- Re: Some new SSH exploit script? litch (Jun 07)
- Unix auditing tools - Windows based. Serge Vondandamo (Jun 08)
- Re: Unix auditing tools - Windows based. Sol Invictus (Jun 08)
- RE: Unix auditing tools - Windows based. Meidinger Chris (Jun 08)