[86866] in North American Network Operators' Group
Re: a record?
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Sun Nov 20 10:45:57 2005
In-Reply-To: <20051120111717.GH96756@new.detebe.org>
Cc: "Patrick W. Gilmore" <patrick@ianai.net>
From: "Patrick W. Gilmore" <patrick@ianai.net>
Date: Sun, 20 Nov 2005 10:45:21 -0500
To: nanog@nanog.org
Errors-To: owner-nanog@merit.edu
On Nov 20, 2005, at 6:17 AM, Elmar K. Bins wrote:
>> Unfortunately, we now have decades of experience in cybersecurity
>> that
>> this isn't true. It appears to work for a while, but on the Internet
>> bears are always hungry and learn. There are people actively
>> scanning
>> for any open ports running any protocol, without a SPECIFIC
>> interest in
>> your computer.
>
> Funnily, I see many many more scanning attempts for the same port (or
> handful of ports) across entire networks than the other way around.
>
> And as stated before: If somebody scans 63023, he has interest in your
> site and is worth the effort of doing something about it. That's the
> whole point in changing the port.
>
> Changing the port is not making the system more secure, it only
> filters
> out passers-by.
I'm going to repeat what Sean said, because you clearly didn't read
what he said:
"There are people actively scanning for any open ports running any
protocol, without a SPECIFIC interest in your computer."
Allow me to re-state again in slightly different language so you
understand this time:
Changing your port may (will?) lower the number of automated scans
you see hitting your daemon, but it will _NOT_ eliminate them. IOW:
Just because someone is probing for an SSH daemon on 65K ports
against your box does _NOT_ mean he has a specific interest in your box.
If you honestly believe that just 'cause someone tried "ssh -p 63xxx
$YOUR.BOX" it means he is specifically targeting your box, well, that
is your prerogative. You are almost certain to be wrong at least
part of the time, though.
--
TTFN,
patrick
