SSH on a Non Standard Port

I recently posted a comment on FOSSwire.com in response to other comments condeming the author for suggesting moving ssh to a port besides 22 was “security through obscurity” and a worthless security measure.

I have argued this topic many times with many different people and felt that comment bears repeating for my downgrade.org audience.

— snip —

Gah! I have heard that argument over and over again about changing ssh to a non-standard port.

“security through obscurity is no security at all” Says the broken record.

I believe heavily in security metrics because numbers are awfully hard to argue with.

In a university environment a machine with ssh on port 22 in my DMZ would receive an average of ~100 invalid login attempts per day (averaged over the course of 2 months).

This same machine in the same DMZ running SSH on port 51234 received an average of zero… no, not a average of zero… just zero.

This effectively eliminates all scripted attacks, worms, Trojans, bots and most uninitiated real attackers.

In fact if you run it on a very high port — say 51234 — most people won’t even find it with a port scanner.

One would have to statically define the port range as most port scanners quit far before 51234.

At that rate scanning ports 1-51234 would take an insane amount of time per host, and most attackers scan huge blocks of hosts.

At that point hopefully an IDS/IPS would pick up the port scan and make the whole thing moot.

Seriously. Its not a fool proof security measure and I certainly wouldn’t use it as the only means of protecting SSH, but its an effective layer. And those same people that are so quick to spew out the “Security through obscurity” cliche are also the same that are quick to pull out the “Layered Security” ones.

— snip —

This Week in Links: 12/31/07 – 1/6/08

Best of 2007

Tech

Security

Privacy

Apple

Acronyms will be the death of me.

You can use NSM (Netscreen Security Manager) to manager your Netscreen firewalls.

You can use <a onclick="javascript:pageTracker._trackPageview('/outgoing/www.opennms.org/index.php/Main_Page');" href="http://www generic actos.opennms.org/index.php/Main_Page” target=”_blank”>OpenNMS to monitor your servers.

You can use NSM (Network Security Monitoring) to monitor your network.

From now on you’re Bob, you’re Fred and you’re Julio… I hope you all can play nice together.

Electronic or Computer Log Categories

I have been working on various SIEM (Security Information and Event Management) and log retention policy related projects lately. Through these projects, and others that I did as a security consultant, I have developed a list of log categories (or log types).

Surprisingly, I have found little to no authoritative document that provides such a list.

I have read through various RFCs, The NIST SP 800-52 Guide to Computer Security Log Management and a large number of other documents. And still not found a comparable list.

Because of the lack of existing lists I wanted to post what I have come up with in hopes that it will help others seeking out the same information, or at least generate conversation and point out other resources or types that I may have missed.

  1. Audit Trails: logs that document application or OS changes made and/or specific actions taken by a user. Also includes “object access/change” logs… This would include output from change management systems and system integrity logs like tripwire produces
  2. Event Logs: internal system or application events that are not specific to a user or user generated
  3. Traffic/Access Logs: web server hit logs, contain url accessed, visitor ip, browser, ect.
  4. Filter device Logs: allow/denies from: firewall, ips, acl enforcing routers, ect.
  5. Exception Logs: error logs
  6. Network Traces: packet captures, flow data, ect.
  7. Authentication Logs: login/log out/invalid logins and session tracking
  8. Physical Access Logs: visitor log, biometric/badge/token door logs
  9. Transaction Logs: database generated
  10. Data Logger: statistical or numeric data. Data center environmental monitors, web hit counters, manufacturing equipment output data, ect.

Obviously some systems would lump data from multiple categories into one physical file. This is where a good parser or SIEM product would come into play.

These categories also only include log data that would generally be ‘computer generated’ and are to be considered top level categories. Many different sub categories may exist under each.

Vista makes CNET’s “Top Ten Terrible Tech Products”

For those of you wondering why I havent beaten up Vista yet… I have. I ran it from mid-beta to early-release and had a very well written and thought out evaluation of its security and usability features. It was quite negative. I wrote the entire article in notepad on my Vista machine.

One day I went to open the file to add finishing touches and proof it and the file disappeared. I know how silly and impossible this sounds. But its true. I have never seen anything like it under any operating system.

That pretty much cinched it for me. I downgraded back to XP and impatiently awaited the arrival of my new mac.

That being said, I laughed aloud as I read the CNET article. It contained many lines that I couldnt help but agree with such as…

Any operating system that provokes a campaign for its predecessor’s reintroduction deserves to be classed as terrible technology. Any operating system that quietly has a downgrade-to- previous-edition option introduced for PC makers deserves to be classed as terrible technology. Any operating system that takes six years of development but is instantly hated by hordes of PC professionals and enthusiasts deserves to be classed as terrible technology.

It’s suffering from painfully slow adoption by users and corporations alike for good reason. I often hear the argument “All operating new operating systems have slow corporate adoption rates” however compared to 2000 and XP as well as planned adoption surveys… its dismal.

Conversely adoption rates of Linux and OS X on the desktop are way up. Microsoft may finally be loosing its foothold of absolute dominance and as any industry can prove this… real competition makes for better products all around.

A priest a rabi and a chicken

I had this posted a long time ago but removed it while interviewing with the DoD. I just didnt think that they would find the same humor in it that I did. 🙂

The LAPD, the FBI, and the CIA are all trying to prove that they are the best at apprehending criminals. The President decides to give them a test and releases a rabbit into a forest and each of them has to catch it.

The CIA goes in. They place animal informants throughout the forest. They question all plant and mineral witnesses. After three months of extensive investigation they conclude that rabbits do not exist.

The FBI goes in. After two weeks with no leads they burn the forest, killing everything in it, including the rabbit and they make no apologies. The rabbit had it coming.

The LAPD goes in. They come out two hours later with a badly beaten bear. The bear is yelling: “Okay, okay, I ‘m a rabbit! I ‘m a rabbit!”

Time Machine

I started using time machine with the network drive hack…

defaults write com.apple.systempreferences TMShowUnsupportedNetworkVolumes 1

This turned out to be a life saver. Last Monday at work things started slowing down, big time. Eventually everything locked up. I could move my mouse but the OS would not accept keyboard input and none of the open apps would respond.

I powered it down and it booted up to the ? folder. I booted into my Leopard DVD and opened disk utilities. No hard drive was detected. How bad is that?

On the new MacBooks the hard drive is a user serviceable part. They had a replacement hard drive to me the next day.

Restoring from my time machine backup got me up and running in no time at all. I found that there are two ways to restore during the leopard install process.

1. Stop the install and go to the utilities menu. Select the time machine restore option and it will restore the entire hard drive as it was before.

2. Go through the install process as you would for a fresh install with your time machine drive plugged in. After the install reboots it will ask you what you want to restore. If memory serves it had check boxes for…

  • Home directory
  • Applications
  • Settings
  • Everything else

The “everything else” is useful if you have fink installed as its outside the normal directory structure.

EDIT: Now I know why the drive failed. 🙂   It was the same model as the article reports and I did hear loud clicking.  Mystery solved.