LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

October 2008

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS October 2008

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Security Breach
From:	John Summerfield <[log in to unmask]>
Reply To:	John Summerfield <[log in to unmask]>
Date:	Thu, 2 Oct 2008 08:18:51 +0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (64 lines)

Wacha, Andras wrote:
> Hello,
> 
> John Summerfield wrote:

>> 8. As I noted elsewhere, I don't recommend simply using a different 
>> port. A portscan will find it quite easily, and you won't be as secured 
>> as you might think.
> Portscans could be eliminated -- or at least made very difficult -- by
> using portsentry (sourceforge.net/projects/sentrytools). I simply put
> ssh from port 22 to 1234 (say), and arm portsentry to listen on 22 (and
> others, where common services are usually listening, eg. telnet, ftp,
> smtp, finger...). If someone does a portscan, portsentry immediately
> locks that ip out (with iptables or route or hosts.deny). Watch out
> however, as source ip addresses may be spoofed, so a "legitimate"
> computer can also become blocked. I suggest to whitelist some hosts (eg.
> your desktop machine on the LAN), in case you get locked out
> accidentally.

I'm loathe to use software not part of my distro, because the onus is 
even more on me to track versions and watch for security problems. I do 
use such software, I'm just not keen on it.

If a distro lacks much of the software I want, then I conclude it's the 
wrong distro for this particular task. Debian tends to win on occasion 
because if its enormous array of software which (unlink Ubuntu) is all 
supported.

I have seen portsentry recommended before, but I don't think I've given 
it more than a cursory inspection. I cannot say that I find the website 
inspiring, it does not clearly describe its purpose, how it works or how 
to use it. The mailing list archives are full of spam (at least, the 
first page of their indexes), and help on the forums is limited.

I personally don't see a need for me to avoid portscans as I don't hide 
services on non-standard ports. The attacks I do see are fairly blunt: 
if the script kiddie has an ssh test, he runs it on port 22 without 
bothering with a portscan. OTOH, if his script's purpose is to test IIS, 
he runs it on port 80 (and doesn't seem fazed to find Apache there).

Rather than run ssh on a non-standard port, my preference is to use a 
VPN, and openvpn is the second non-standard software I use on 
RHEL-clone. openvpn provides encrypted communications over a private 
network which can encompass the globe. I install it on my gateways, it 
can be inside the firewall, and I install it on my laptop(s). It 
requires of the firewall nothing more than an open UDP port.

-- 

Cheers
John

-- spambait
[log in to unmask]  [log in to unmask]
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV