[Discuss] DNS question about DNSENUM.PL

[gaf at blu.org (Jerry Feldman)]

On 03/27/2013 04:00 PM, Rich Pieri wrote:
> --On Wednesday, March 27, 2013 3:28 PM -0400 Bill Horne 
> <bill at horne.net> wrote:
>
>> When combined with port-knocking, having a non-standard port for a
>> service like ssh
>> is an effective means of preventing port-scanning attacks. It doesn't
>> prevent an
>
> It also makes you vulnerable to denial of service.
>
>> in Exim4, but it
>> _IS_ an effective tool when properly deployed.
>
> I claim that obfuscation cannot be properly deployed. Obfuscation is 
> wrapping a towel around your head and pretending that if you can't see 
> the service then neither can anyone else.
>
> Changing the port isn't giving your neighbor the key to your home. 
> Keys are authentication tokens. The port is analogous to the keyway. 
> Changing the port is the same as moving the keyway. The lock is still 
> there and you still need the correct key; you've just moved it up or 
> down from where it is normally located which is usually a convenient 
> waist/elbow height.
>
> The only security that you've added is that blind thieves are going to 
> have a slightly harder time finding the keyway.
>
While I have practiced a bit of obfuscation, and it does work in some 
instances, but you essentially have to lock the doors and board up the 
windows. There are many good security tools available. One of the best 
is a proactive defense. Try to find out if you are being attacked before 
the attacker gets in. For ssh, make sure the keys are secure and long 
enough. Check your logs and firewall. If you have to allow passwords, 
use the tools to ensure your users have relatively strong passwords. 
Additionally, in a business, it is frequently an insider who will break 
into systems. He/She is already inside of the firewall.

-- 
Jerry Feldman <gaf at blu.org>
Boston Linux and Unix
PGP key id:3BC1EB90
PGP Key fingerprint: 49E2 C52A FC5A A31F 8D66  C0AF 7CEA 30FC 3BC1 EB90