Wacha, Andras wrote:
> Hello,
>
> John Summerfield wrote:
>> 8. As I noted elsewhere, I don't recommend simply using a different
>> port. A portscan will find it quite easily, and you won't be as secured
>> as you might think.
> Portscans could be eliminated -- or at least made very difficult -- by
> using portsentry (sourceforge.net/projects/sentrytools). I simply put
> ssh from port 22 to 1234 (say), and arm portsentry to listen on 22 (and
> others, where common services are usually listening, eg. telnet, ftp,
> smtp, finger...). If someone does a portscan, portsentry immediately
> locks that ip out (with iptables or route or hosts.deny). Watch out
> however, as source ip addresses may be spoofed, so a "legitimate"
> computer can also become blocked. I suggest to whitelist some hosts (eg.
> your desktop machine on the LAN), in case you get locked out
> accidentally.
I'm loathe to use software not part of my distro, because the onus is
even more on me to track versions and watch for security problems. I do
use such software, I'm just not keen on it.
If a distro lacks much of the software I want, then I conclude it's the
wrong distro for this particular task. Debian tends to win on occasion
because if its enormous array of software which (unlink Ubuntu) is all
supported.
I have seen portsentry recommended before, but I don't think I've given
it more than a cursory inspection. I cannot say that I find the website
inspiring, it does not clearly describe its purpose, how it works or how
to use it. The mailing list archives are full of spam (at least, the
first page of their indexes), and help on the forums is limited.
I personally don't see a need for me to avoid portscans as I don't hide
services on non-standard ports. The attacks I do see are fairly blunt:
if the script kiddie has an ssh test, he runs it on port 22 without
bothering with a portscan. OTOH, if his script's purpose is to test IIS,
he runs it on port 80 (and doesn't seem fazed to find Apache there).
Rather than run ssh on a non-standard port, my preference is to use a
VPN, and openvpn is the second non-standard software I use on
RHEL-clone. openvpn provides encrypted communications over a private
network which can encompass the globe. I install it on my gateways, it
can be inside the firewall, and I install it on my laptop(s). It
requires of the firewall nothing more than an open UDP port.
--
Cheers
John
-- spambait
[log in to unmask] [log in to unmask]
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)
|