[66685] in North American Network Operators' Group
Re: sniffer/promisc detector
daemon@ATHENA.MIT.EDU (Niels Bakker)
Tue Jan 20 18:58:12 2004
Date: Wed, 21 Jan 2004 00:57:35 +0100
From: Niels Bakker <niels=nanog@bakker.net>
To: nanog@merit.edu
Mail-Followup-To: nanog@merit.edu
In-Reply-To: <16397.27015.223645.314892@biohazard.demon.algx.net>
Errors-To: owner-nanog-outgoing@merit.edu
* davei@algx.net (Dave Israel) [Tue 20 Jan 2004, 18:48 CET]:
> On 1/20/2004 at 09:18:07 -0800, Alexei Roudnev said:
[..]
>> - unpatched sshd on port 30013 - safety is 7 (higher) because no one
>> automated script can find it, and no one manual scan find it in reality
> Actually, an automated script or manual scan can find it trivially.
> All you have to do is a quick port scan, looking for this:
[..]
Indeed. And Alexei's point is that noone is looking for that.
> one across the enterprise, so it is only really obscure once. Moving
> port numbers only protects you against idle vandalism; it is useless
> against people who truly wish you harm.
Alexei's point also was that you need additional measures against those
people.
> You really need a firewall, particularly one that can detect a port
> scan and shut off the scanner, for changing ports to have any real
> security. It is kind of like a 4-digit PIN being useless for a bank
> card without the 3-try limit.
Unless you like really, really sore fingers, and don't think a long line
of people waiting behind you at the ATM will attract any attention from
the bank employees.
-- Niels.
