Question about visibility

John W. Blue john.blue at rrcic.com
Wed Oct 24 17:30:50 UTC 2018 

I agree on using non-standard ports as well.

Moving SSH to a non-standard port is a perfect example of how to actually ID bad actors.  It follows that any host connecting to 22 is clearly traffic that needs to be dropped and blocked.  And if that host is blocked then any other connections it would attempt (eg port 80) are also blocked.  I am reluctant to say "one and done" but it is pretty close.

Alternatively, using PF on a BSD with this rule:

pass in on $ext_if proto tcp from any to $ext_if port ssh \
flags S/SA keep state \
(max-src-conn-rate 2/120, overload <ssh-bruteforce> flush global)

Will only allow 2 connections within two minutes before the host is blacklisted.

John

-----Original Message-----
From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Paul Kosinski
Sent: Wednesday, October 24, 2018 11:24 AM
To: bind-users at lists.isc.org
Subject: Re: Question about visibility

Maybe port scanners will find open ports pretty quickly, but I've found that using non-standard ports is helpful in reducing traffic, at least.
For example, SSH on port 22 gets lots of SYNs but moving it elsewhere, and making 22 totally unresponsive discourages most such attempts. This increases security slightly a priori, and may also improve security by simplifying the firewall log(s).

When using OpenVPN over UDP, the standard port 1194 can be subject to random and/or attack packets. These have to be processed and rejected (since their HMACs etc. hopefully won't pass decryption). This won't occur in TCP mode, of course, but UDP tends to be more efficient, especially since TCP over TCP tends to clog up.

P.S. When you come right down to it, *all* computer (software) security is "security by obscurity", whether the obscurity of passwords, private keys, etc. For example, DES is no longer used because 56-bit keys are no longer obscure enough to hide from modern computers.


On Wed, 24 Oct 2018 13:24:41 +0000
Timothy Metzinger <tim.metzinger at outlook.com> wrote:

> There's no security in obscurity.  Automated port scanners will sweep 
> your system in a couple of seconds.
> 
> Tim Metzinger
> 
> From: bind-users <bind-users-bounces at lists.isc.org> on behalf of G.W.
> Haywood via bind-users <bind-users at lists.isc.org> Sent: Wednesday, 
> October 24, 2018 12:15:10 PM To: bind-users at lists.isc.org
> Subject: Re: Question about visibility
> 
> Hi there,
> 
> On Wed, 24 Oct 2018, Hardy, Andrew wrote:
> 
> > Further to the original post, as well as not creating a DNS record 
> > and "possibly" adding robot.txt with appropriate content, as 
> > discussed, I presume that if I run the http server on a personally 
> > selected unprivileged port then it is very "unlikely" the site pages 
> > will be indexed/discovered/etc surely?
> >
> > Thoughts?
> 
> A server on a non-standard port is often neglected.  Its security may 
> be less well maintained than one that is intentionally public.
> 
> That's just the sort of thing that criminals are looking for.  They'll 
> probably find it, and then they'll attack it.
> 
> --
> 
> 73,
> Ged.
> _______________________________________________
> Please visit
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
> s.isc.org%2Fmailman%2Flistinfo%2Fbind-users&data=02%7C01%7C%7C0b80
> 5cc1bd334bd7ea4808d639aa77ec%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C
> 0%7C636759801644561901&sdata=CqjF4k0IMJVEbFnKVPzflLNxc8LyguCF7iSbl
> AfVbLI%3D&reserved=0<https://eur03.safelinks.protection.outlook.co
> m/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users&d
> ata=02%7C01%7C%7C0b805cc1bd334bd7ea4808d639aa77ec%7C84df9e7fe9f640afb4
> 35aaaaaaaaaaaa%7C1%7C0%7C636759801644561901&sdata=CqjF4k0IMJVEbFnKVPzf
> lLNxc8LyguCF7iSblAfVbLI%3D&reserved=0>
> to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
> s.isc.org%2Fmailman%2Flistinfo%2Fbind-users&data=02%7C01%7C%7C0b80
> 5cc1bd334bd7ea4808d639aa77ec%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C
> 0%7C636759801644561901&sdata=CqjF4k0IMJVEbFnKVPzflLNxc8LyguCF7iSbl
> AfVbLI%3D&reserved=0<https://eur03.safelinks.protection.outlook.co
> m/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users&d
> ata=02%7C01%7C%7C0b805cc1bd334bd7ea4808d639aa77ec%7C84df9e7fe9f640afb4
> 35aaaaaaaaaaaa%7C1%7C0%7C636759801644561901&sdata=CqjF4k0IMJVEbFnKVPzf
> lLNxc8LyguCF7iSblAfVbLI%3D&reserved=0>
> 
> Tim Metzinger
> 703.963.3015
> 
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list