MORE SSH Hacking: heads-up
Michael H. Warfield
mhw at wittsend.com
Sat Aug 7 02:40:17 UTC 2004
On Sat, Jul 31, 2004 at 12:02:38AM -0400, Jorge Fábregas wrote:
> On Friday 30 July 2004 6:36 pm, Sam Varshavchik wrote:
> > There are more than sixty thousand other ports to choose from. Pick one,
> > and have portsentry bitch-slap anyone poking your port 22.
> I totally agree. That's "Security WITH obscurity" which is not the same as
> "Security THRU obscurity".
I don't even run ssh on IPv4 any more. I run it on IPv6 only,
which is available anywhere IPv4 is (and a few places / times where you
can't even GET IPv4).
Hell, sixty five thousand ports. Penny anty. Trivial to scan for
if someone really wanted it. Find it amongst 16 billion billion possible
host addresses on a single IPv6 subnet (and there are 65,536 subnets
to each IPv6 net and each IPv4 address has an entire IPv6 net already
assigned to it and there is NO broadcast address) now THERE'S a challenge,
even if you knew the subnet to look on!
As a side note... My exposed servers change their IPv6 address
they are listening on for ssh every 15 minutes. No problem with DNS
dynamic updates and deprecating addresses over twice the TTL (and you
can't delete an address that's "in use" IAC). Now try scanning for
THAT in 65,536 * 4 billion * 4 billion and catch it in the 15 minute
window before it jumps behind your scan.
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
Mike
--
Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040806/f3cc08e0/attachment-0001.sig>
More information about the fedora-list
mailing list