![]() Restricting SSH connections to specific source IPs further reduces your risk, but adds inconvenience: you have to be in a specific place or use a VPN first, or remember to add new IPs for new people that need to connect. Fairly low value, but also very low effort. ![]() Although it is security-by-obscurity, it's decent value because you're significantly less likely to get dictionary attacks. You just have to balance it against convenience, as well as consider effort vs value.Ĭhanging the SSH port is fine, and having to remember/teach people that it's a non-standard port is pretty easy. ![]() That's not to say you shouldn't do it if you want to I'm just not sure it actually makes anything more secure. You could certainly mitigate the problem by modifying the service not to output anything until the user is authenticated, and you can use a port knocking strategy to stop it connecting on the first try, but those aren't really 'obscurity' per se. The service is going to be found regardless of whether or not you've changed the port. Hiding a service on a different port isn't even going to slow that attacker down - they'll use a port scanner to find every port that's listening. The far less common but much more dangerous attack is a malicious third party intent on gaining access to your servers specifically. I guess it might result in less noise in the logs which is nice but it's not 'more secure'. This sort of attack isn't dangerous if you've got the basics right, so obscurity gives you nothing very useful. Most attacks are just scripts that constantly scan everything looking for services on well known ports. Going back to cost/benefit, if the 6 proxies spoil your operating costs and latency, then it probably doesn't work out. Why don't I just put six different proxies in front of my webserver? That's six times the effort at least. If looking up the old exploits is easier than finding the zero-days on the new server, then this is less obscure by definition. ![]() So for example, a 20 year old Sun server running telnet and has never been patched is more secure than a brand new server The cost might even be in the form of reduced overall security. Costs might be in the form of increased attack surface, or increased operating costs. You don't just put anything up without thinking about cost/benefit. However, having such a ditch just outside the walls interferes with the deployment of siege engines and ladders in exactly the place where one has to worry most about counterattack and so is worthwhile. Just having an empty ditch surrounding a building would make for a rotten castle. A moat can be nothing more than an empty ditch. I'd carefully choose a bit of obscurity which would force an attacker to improvise on the fly, while under time constraint or working against a chance of discovery.Ī good analogy would be a moat around a castle. This also works in terms of computer security. In physical security terms, security is measured in the amount of time it would take for an attacker to penetrate the defense. Of course, if you use a tool in a stupid fashion, you get stupid results. > Anything that increases the amount of work needed to carry out a successful attack increases its security. Without a good understanding you aren't ever going to succeed in securing any systems. In meatspace there's the advice of "don't leave valuables in your car in plain sight," that's uncontroversial but its also security through obscurity, covering up your iPad when you leave it in the car doesn't mean you don't lock your door.īut, the prerequisite is really, actually understanding security, as a concept, including understanding tradeoffs. Again, that doesn't mean they go ahead and leave the doors unlocked.Īnother recommended security practice, don't use usernames like 'root,' 'admin,' etc. I don't know if its true but I also heard that the NSA doesn't publish some of their physical addresses and the highway exit are unmarked - that's security through obscurity. it's security through obscurity, however, it's far from the only practice a website used to keep itself secure. This is one of the security policies of the government systems I work on. The only people who are against adding an additional layer of security are the ones who don't actually understand the concept, they only heard "security through obscurity is bad." Those people shouldn't be securing systems.įor example shutting up chatty webservers is a good and well established security practice (stuff like removing x-powered-by response headers). This is well known and not actually at all controversial.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |