Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: OpenSSH is a good choice?
From: Ben Hawkes <ben.hawkes () paradise net nz>
Date: Fri, 24 Dec 2004 18:19:34 +1300

On Thu, Dec 23, 2004 at 12:43:31AM -0600, Ron DuFresne wrote:
My thoughts on this have centered on the point that there are too many
decent scanning and banner grabbing tools out there to make botuse port
assingments off the default any much good at obscuring the service.

We are lucky in that most the coded sploits and POCs tend to be cheap in
that they tend to look for specifics in a very narrowly focused tunnel.
The potentials for something being crafted that is much more insidiously
inventive in determing attack vectors that might be non-norm are there.
And beaucse they remain at this time 'potential' should not be a reason or
rationale to try and place minimally effective or incomplete controls in
the security layers one uses.  The IT community has been repeatedly bitten
by doing less then they know better to do due to the potential of
something not yet unleashed, say 1988 for example.

There needs to be some differentiation between worms and exploits here.
In the case of a single attacker specifically targeting a machine, then
yes, I agree that a non-standard port configuration is not going to
help due to such "insidiously inventive" tools as nmap and its -sV.
However a non-standard port does help in the general case when it comes
to a worm. 

The reason that we have not seen a worm search for non-standard 
configurations is not so much a lack of ingenuity by the authors, 
but more of a realisation that the time spent on scanning each target 
is better spent looking for other potentially vulnerable hosts with a 
standard port configuration. That is to say, searching each potential
host for non-standard ports is inefficient and would likely inhibit the
spread of such a worm.

I don't have any figures to support this claim, but its hard to imagine
the percentage of non-standard port configurations for any service on
the internet being high enough to be an attractive target for a worm. In
the end, running a service on a non-standard port at this point in time 
is a useful part of a layered security approach, if only to inhibit

Ben Hawkes
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]