[66668] in North American Network Operators' Group
Re: sniffer/promisc detector
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Jan 20 01:52:53 2004
To: Brett Watson <brett@the-watsons.org>
Cc: Alexei Roudnev <alex@relcom.net>, nanog@merit.edu,
Paul Vixie <vixie@vix.com>
In-Reply-To: Your message of "Mon, 19 Jan 2004 23:26:30 MST."
<BC321826.960C%brett@the-watsons.org>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 20 Jan 2004 01:52:17 -0500
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_1490498001P
Content-Type: text/plain; charset=us-ascii
On Mon, 19 Jan 2004 23:26:30 MST, Brett Watson <brett@the-watsons.org> said:
> > hacked? (Answer - you will never be hacked, if
> > you use nonstandard port, except if you attracks someone by name, such as
> > _SSH-DAEMOn.Rich-Bank-Of-America.Com_.
> Go grab nessus (www.nessus.org), modify the code a bit, and I guarantee you
> that your ssh daemon running on a non-standard port can still be found,
> identified, and exploited. Trivial.
Alexei's point is that *yes*, things like Nessus *will* find a relocated SSH -
but that if you're getting Nessus scanned, somebody has painted a bullseye
target on YOUR site, not "any site vulnerable to <exploit du jour>". The
people looking for "any vulnerable site" will just go SSH-scanning on port 22
and be done with it, since it's simply NOT PRODUCTIVE to do an exhaustive test
of each machine. One probe at port 22 will probably go under the radar,
scanning all 65K ports is sure to peeve somebody off....
--==_Exmh_1490498001P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFADNAhcC3lWbTT17ARAsBtAJ9XqkaK1X8OzuwogvkyEAH49qbmxwCg/pDY
tEVkVgNt9hiRrwDx5tJuSO0=
=0+p5
-----END PGP SIGNATURE-----
--==_Exmh_1490498001P--
