[ale] hack attempts

James Baldwin jbaldwin at antinode.net
Tue Feb 8 17:12:28 EST 2005 

On 8 Feb 2005, at 16:40, Bob Toxen wrote:

> This is "Security by Obsecurity" and it is not a good solution.  See 
> my last
> email and also use a REAL good password.

That is a misleading statement, and in this particular instance an 
incorrect one. I will not dispute the statement that "good" password 
will decrease the likelihood of a compromised account, however stating 
that altering the port which sshd binds too will not decrease that 
likelihood is just wrong.

Take into account this:

Altering the port on which sshd listens adds another authentication 
vector, even if a weak one. This could be construed as adding another 
2^16 possible combinations to your password. This number is wildly 
inaccurate as people are likely to use easy to remember ports and any 
transit provider is presented the port, this latter should be discarded 
as any transit provider can MitM your SSH connection anyway.

Security through Obscurity is a statement regarding general 
architecture policy NOT actual implementation. Obscurity works in 
practice. Randomizing the port number your service runs on makes it 
that much more difficult for an intruder to locate said service without 
detection in the same way that IPv6 will make it more difficult to 
portscan large ranges quickly looking for compromisable hosts. In both 
cases it does not make it impossible only decreases the effectiveness 
of the attack.

As policy one shouldn't rely on Obscurity for Security, but in reality 
it is an effective means of mitigating your vulnerability to 
exploitation. If you work long in the security consulting world you 
will realize that success is not about eliminating the possibility of 
exploitation, but about reducing the likelihood of its occurrence and 
the risk involved when it does. In such cases, Obscurity is a very, 
very valid and effective weapon against Bad Guys (tm).

Further reading:
http://www.bastille-linux.org/jay/obscurity-revisited.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part

More information about the Ale mailing list