Need urgent help regarding security
dtalk-ml at prairienet.org
dtalk-ml at prairienet.org
Mon Nov 21 08:35:23 PST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Danny Carroll wrote:
> But sshd can be moved without problem.
It's not a cost-free solution, because there are support consequences.
Users don't like change. Fortunately for us, we control their client
configurations, so it's invisible to them.
>> I just have the strong feeling that moving a daemon to another port
>> (where it doesn't belong) won't gain any security.
On 22, I used to get many, sometimes many thousands, of brute force
password attempts per day. After moving to a higher port, I get zero.
Mathematics tells me that makes it less likely that one of my user
accounts will get whacked. It also raises the signal to noise ratio and
storage requirements of my logs dramatically.
I'm sure no one here thinks obscurity is a substitute for proper
configuration of good quality software. Nevertheless, real world
experience shows quite clearly that the odds of an expensive compromise
go down when I'm a little harder to find. The fact that this does
nothing to slow down a targeted attack does not diminish the value of
evading the entire population of drive-by bots.
- -d
- --
David Talkington
dtalk-ml at prairienet.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDgfdQ5FKhdwBLj4sRApC2AKCQNAd1lpHSukrwtolbKtLplhQGrwCgpSuU
xPnXD1Q2UTykKv2pCJHKE9I=
=C79J
-----END PGP SIGNATURE-----
More information about the freebsd-security
mailing list