Re: Need urgent help regarding security

ray@redshift.com wrote:
>The point isn't to get more secure. You are correct by saying that
>moving the port # doesn't make anything more secure.

Actually the point _is_ security and changing the port number _does_
improve it significantly though only from one popular attack vector.

Security by obscurity _does_ work and often very well just not in
place of more substantive measures.  In the case of sshd dictionary
attacks those would be:

  1) setting "MaxAuthTries 2", "Banner /etc/issue" and
  "PermitRootLogin no" in /etc/ssh/sshd_config,

  2) running an sshd IDS that A) tests for '(for invalid user|Failed
  password for)', B) blacholes source hosts 'ipfw add deny ...', and
  C) alerts sysadmin or operations personnel,

  3) making sure SSL and SSH are up to date (preferably via ports),

  4) deleting the rc script, adding sshd to /etc/inetd.conf, and
  taking advantage of the rate controls, logging, and other excellent
  security features of FreeBSD's inetd.

Hosts that don't have at least these 4 protections in place will
reduce their exposure by moving sshd to a port other than 22.  Hosts
that do implement these protections will still benefit from changing
the port but can lose some excellent logging.  If possible keep the
logs and either send them to the offending ISP or add to a local
list of long-term blackholes.

Obscurity is an important and wholly necessary part of the security
toolkit.  Take passwords for example.  Defining a non-dictionary
password is security by obscurity.  It is, however, weak protection
if you do not also log dictionary attacks and blackhole offenders
before they can try many username/password pairs.  ATM PINs are even
weaker than passwords but are nevertheless adequate protection
thanks to the fact that ~3 failed passwords will cause the account
to be locked.

Bruce Schneier looks at more areas on where security by obscurity
works and where it doesn't in the May 2002 CRYPTO-GRAM
<http://archives.neohapsis.com/archives/crypto/2002-q2/0005.html>.

-- 
Roger Marquis
Roble Systems Consulting
http://www.roble.com/
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"