Need urgent help regarding security
Marian Hettwer
MH at kernel32.de
Mon Nov 21 05:16:57 PST 2005
Hej Ray,
ray at redshift.com wrote:
>
> The point isn't to get more secure. You are correct by saying that moving the
Hu. I thought the point was to get more security. If it's more about
"stealth", okay, move the daemon to another port :)
> port # doesn't make anything more secure. But why make it easy for someone that
> might be doing a scan to find your SSH prompt during a scan that may be focused
> on ports 21, 22, 25, 80 and 110?
>
Of course it's a bit harder to find your sshd, if it's not running on
tcp/22. And maybe, an automated script won't find the sshd. A human
being will, indeed, find the sshd pretty quick. Take any port which
responds with an SYN-ACK to your SYN and of you go on that port with
telnet...
> Along these same lines, we used to even re-compile sshd and remove the welcome
> message/version number in the connect. I know there are two schools of thought
> on broadcasting your version numbers on connections, but in the mid 90's, we did
> do that from time to time.
>
And if you don't get the ssh banner, it might get harder now :-)
> Anyway, to each their own :)
>
ack.
Marian
More information about the freebsd-security
mailing list