Re: Some new SSH exploit script?

From: Adam.Chesnutt (icetre@digitalfreezer.net)
Date: Wed Jun 07 2006 - 10:57:22 EDT


silentw wrote:
>> Running a service on a non-standard port yields zero increase in
>> security. That was my point.
>
> I completely disagree for several reasons.
>
> There has been much talk about the number of connections on port 22.
> thousands of random connections that just waste your time. If you dont
> have a guessable password why do you care ? reasurces.

Yeah this is true.. But in effect it is minimal.
>
> 1) It wastes your resorces. If your logs arn't full of usless crap you
> have more time, more money, more hardware that you can better spend
> elseware on things that will actually help you.
Grep? The overall volume of logs is greater, but it's easy to parse
hacktards out of your logs.
>
> 2) Security through obscurity is a legitimate part of defense in
> depth. (in this case) If you keep your services up to date, a
> non-standard port could save you from a 0day attack / worm / n00b.
> that is an increase in security.

Um, no

SSH is so easy to detect, that most automated tools would find it on a
nonstandard port with minimal effort. However, nonstandard ports would
most likely nail out worms, but 0-day owners have better sk1llz and
t00lz, and n00bs wouldn't know what to do if your server was properly
patched/secured anyways.
>
> It really (for me, anyway) comes down to reasources - if you can cut
> the junk in your logs by 90% just by changing a port, it is worth
> considering. Anyone who has working in a large environment will know
> exactly what I mean.
>

I've worked in several ISPs, and to tell you the truth, I'd much rather
have easily greppable logs, that still contain the attempts. This falls
under the paradigm of keeping your enemy close. I know who and what they
are, and by correlating the attempts, I usually have a pretty good idea
of the skill level I'm dealing with.

If you have a problem with an overwhelming amount of incoming security
events, try correlation engines such as Neusecure or netForensics.

While I agree, it makes the logs more readable, the cost is making your
logs less effective at their job.

Really the solution here, is to have confidence in your security
measures. Remember, 0-day is just the tip of the iceberg, don't forget
about private exploits. You have to remember, if someone wants to own
you, you will be owned. There's always some oversight, there's always
some attack vector. The whole point is raising the bar.

Changing the port number, is akin, to hiding the door, because your
afraid of the lock installed in it. It only raises the bar to the
special olympics level.

I believe in security in-depth, but this depth is so superficial, I
really don't think it's worth it.

Firewall the port after 5 bad attempts, it's a trivial script to write.

Adam

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:03 EDT