OT (way ot, port numbers, security, and other things)

Matt Kettler mkettler at evi-inc.com
Wed Apr 12 00:26:12 IST 2006

BB wrote:
> Why ?
> That's called security by obscurity.  It doesn't work.
> Nmap would finger that out in no time.

You're 100% right.. moving services to odd ports offers zero extra security.

However, this doesn't make the practice pointless. There are some benefits which
aren't security related to doing this.

Take the fictitious scenario where a major security flaw is found in OpenSSH,
and someone writes a network worm that exploits it. At the same time, folks are
also going to be launching manual attacks, looking by hand for servers to
exploit. However, there will be fewer of these than there are probes launched by
the worm. In the first day you'll likely see a few dozen hand attackers,
compared to thousands of worm probes.

Since the hand-scanning folks will find your SSH port quickly, you've gained
nothing in security. These are the most dangerous sorts anyway, so in terms of
security you've failed to provide any defense against the more important case.
However, you will have picked up a non-security related benefit: Bandwidth and
CPU savings.

The worm won't find your SSH port. It is trying to spread fast, so it's going to
focus on the well-known port. Thus you won't be wasting CPU and network
bandwidth answering the thousands of connection requests generated by worms.

There are some instances where moving a port can provide some benefit. But do be
realistic about it, and don't ever fool yourself into thinking this improves
security at your site. BB is right. It doesn't, and it will only take a decent
attacker a few seconds to figure out.

You also gain a forensic benefit. By forcing the attacker to do a broad
port-scan, you are making their presence much easier to log on your IDS.

But neither of these will help you if your SSH isn't patched for our fictitious
vulnerability. The attacker will find it and root your box in short order.

More information about the MailScanner mailing list