I know for a fact, that if a hacker wants to root a box, the first and least thing he does is to nmap -p1-65535 -Avv host And yeah, it does detect services on unusual ports. And regardless of what you say, assigning nondefault ports is security through obscurity.
On 2/5/06, fbsd_user <[EMAIL PROTECTED]> wrote: > You missed to whole meaning. > Attackers only scan for the published service port numbers, > that is what is meant by "portscan the box". > Those high order port numbers are dynamically > used during normal session conversation. > So any response from those port numbers if an > attacker scanned that high would be meaningless. > Please check your facts before commenting. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Daniel A. > Sent: Sunday, February 05, 2006 4:58 PM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED]; Michael A. Alestock > Subject: Re: IP Banning (Using IPFW) > > > On 2/5/06, fbsd_user <[EMAIL PROTECTED]> wrote: > > I find this kind of approach is treating the symptom and not the > > cause. > > The basic problem is the services have well published port numbers > > and attackers beat on those known port numbers. A much simpler > > approach is to change the standard port numbers to some high order > > port number. See /etc/services SSH logon command allows for a > port > > number and the same for telnet. Your remote users will be the only > > people knowing your selected port numbers for those services. This > > way a attackers port scan will show the well published port > numbers > > as not open so they will pass on attacking those ports on your ip > > address. This way your bandwidth usage will be reduced as > attackers > > find your ip address as having nothing of interest. > > > > This same kind of thing can also be done for port 80 by using the > > web forwarding function of Zoneedit pointing to different port for > > your web server. Only people coming to your site through dns will > be > > forwarded to the correct port. > > > > The clear key here is attackers roll through a large range of ip > > address port scanning for open ports. By using nonstandard port > > numbers for your services you stop the attacker even finding you > in > > the first place. > > > > good luck what ever you choose to do. > You just argued against yourself. If an attacker is genuinely > interested in rooting someones box, that attacker will most likely > portscan the box - And thereby discovering that you have assigned > alternative port numbers to your services. > Security through obscurity is a bad place to start. > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of Michael > A. > > Alestock > > Sent: Sunday, February 05, 2006 10:42 AM > > To: [EMAIL PROTECTED] > > Subject: IP Banning (Using IPFW) > > Importance: High > > > > > > Hello, > > > > I was wondering if there's some sort of port available that can > > actively > > ban IPs that try and bruteforce a service such as SSH or Telnet, > by > > scanning the /var/log/auth.log log for Regex such as "Illegal > User" > > or > > "LOGIN FAILURES", and then using IPFW to essentially deny (ban) > that > > IP > > for a certain period of time or possibly forever. > > > > I've seen a very useful one that works for linux (fail2ban), and > was > > wondering if one exists for FreeBSD's IPFW? > > > > I've looked around in /usr/ports/security and /usr/ports/net but > > can't > > seem to find anything that closely resembles that. > > > > Your help would be greatly appreciated.... Thanks in advance! > > > > >> Michael A., USA... Loyal FreeBSD user since 2000. > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > > "[EMAIL PROTECTED]" > > > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"