IP Banning (Using IPFW)

Chris chrcoluk at gmail.com
Wed Feb 8 20:33:40 PST 2006

On 07/02/06, David Scheidt <dscheidt at panix.com> wrote:
> On Tue, Feb 07, 2006 at 12:40:22AM +0200, Atis wrote:
> > On Sun, 5 Feb 2006 18:55:13 -0500
> > David Scheidt <dscheidt at panix.com> wrote:
> >
> > >
> > > Nonsense.  There may be some people that only scan well-known ports,
> > > but it's much more common to scan every port on a machine.  If you're
> > > running a server on a non-standard port, an attacker will find it.
> > >
> >
> > sure, but 99% of the time the machines attacking your server are zombies
> > that do not care to do a full portscan. i suppose the purpose is to
> > find other misconfigured, easy-to-hack computers on the network. by
> > putting your services on non-standard ports you get rid of these
> > mindless drones and don't pollute log files with useless garbage.
> >
> > now if somebody _does_ actually target your server in particular then
> > this is definitely not the solution.
> >
> > anywayz, putting things on non-standard ports helps a lot, and is
> > one of the first and easiest security measures an administrator
> > may consider.
> >
> Taking your clothes off and painting yourself blue is also one of the
> first and easiest security measures to consider.  It's even more
> effective, too.  I know of no machine that's been cracked that had a
> wheel naked and painted blue.  I've seen lots running standard
> services on non-standard ports.
> Security through obscurity doesn't work, it makes tracking down
> other problems harder, and creates work to maintain non-standard
> configurations.

I understand his point, I see 2 types of problems we have to deal with.  The
thousands of drones that scan for boxes that are vulnerable to a specific
exploit, they will often scan ip ranges on a specific port and if its open
see if its vulnerable.  For these types of intruders chnging ports is very
effective since you would simply be skipped past on their scan, for most of
us 99% of attempted intrusions are zombie based or some script a kid has
downloaded of the web.

The argument against changing ports is of course when you have a persistent
hacker who wants in, he will of course scan all the ports and find the
service and this type of protection is nullified.  In this scenario if you
havent taken additional measures to secure the box then you may be in

I personally move things like sshd of its normal port simply to stop my logs
been flooded with brute force logins and since I am the only one who uses
ssh there is no downside to it, I of course dont rely on this alone and keep
my software up to date amongst other security measures it is simply an extra
layer of skin on the onion.  For things like httpd I keep on port 80 as I
think moving the port of that is more hassle then its worth.


More information about the freebsd-questions mailing list