Re: Enabling telnet, ftp, pop3 for root...

Sybren Stuvel wrote:

matt_left_coast enlightened us with:
What? You quite the INSTANT I pointed out that any script kiddy in
the world can attack your open port, thus calling into question any
claim about how secure your system could be compared to a system
that did not hold that port open!

This is bad reasoning. Scientific theories are attacked all the time -

Talk about bad reasoning, we are talking computer security, not "Scientific
theories" two unrelated issues too unrelated to make such comparisons
valid.

as a matter of fact, they must be attacked in order to be accepted as
true. Being able to attack something tells you nothing about the
security of the attacked.

BS. If you make it so EVERY one CAN attack it, there is the possibility that
someone can figure out how to succeed in the attack. If you make it so
NOBODY can attack it then NOBODY can succeed. It is the simple logic of: If
I don't connect my computer on the network, nobody can use the network to
attack my system, thus making the system more secure.


A scene of Monty Python's Quest for the Holy Grail comes to mind,
where the knights of the round table start attacking the Frensh
castle. They attack a blind wall with their swords. Does that make the
castle less secure?

Ever wonder why nobody builds castles for defense anymore? Because people
figured out how to attack them in a way that made them obsolete.

I suggest you stop watching outdated British sitcoms and start living in the
real world.


Never mind that you repeatedly attacked me for using "Again, that's
security by obscurity" When I was securing a port by SHUTTING IT
DOWN, not obscuring it the way YOU did when you put it on a
non-standard port!

Shutting down the port negates the use of the service previously
listening to the port. If you shut down SSH, how can you talk about
the security of your box in the context of SSH logins?

Ever hear of port knocking? Far more secure than letting the port be open to
everyone. Other methods are to shut down the port to only approved
addresses are allowed to connect.


If you use a port knocking technique, you should know that that is
easily defeated by sniffing the knocking sequence.

Nope, since the technique I use changes the combo EVERY TIME it is used. In
other words, you can sniff but the combo you get is already invalid. Silly
twit, you should know how to secure things.

Then again, just having port knocking limits the possible hackers from the
"whole world" down to the VERY FEW that can be in the path the packets
travel and they need to know what to look for, it would be very difficult
to spot port knocking unless one was specifically looking for port knocking
on a particular address. Cutting down the potential number of people that
CAN attack you port cuts down the likelyhood that the one that CAN succeed
will be among those that CAN attack.

In other words, If you have a sniffer, are you likely to be on a part of the
network that my knocking packets take? If you are not, then you can't sniff
the packets and you can not attack my port.

You really should learn how to secure things.

It is considered
as adding just a few bits of complexity to the login system.

By who? Do you know why they started making encryption keys longer? In a
since, it added "few bits of complexity". And if you change the key with
each message....

So, tell me, since I change the knocking address EVERY TIME, how would you
get past the knocking?

The same
effect is gained by adding one or two characters to the password.

Or adding more bits to an encryption key, all are considered valid
techniches in enhancing security. Thanks for helping me make my point.

However, creating a better password is a simpler technique, hence less
can go wrong in the implementation, hence likely to be more secure.

Yes, adding more complexity DOES enhance security, thus adding port knocking
dose make the port more secure. My point is valid.


Sybren

--


.

Relevant Pages

  • Re: Somebody is keep trying to ssh into my systems, how can I stop that?
    ... open port. ... All port knocking does is OPEN a port. ... A MITM attack would be a concern of the SSH user, ... Simple RSA authentication for SSH and it is a DEAD END. ...
    (comp.os.linux.security)
  • Re: Somebody is keep trying to ssh into my systems, how can I stop that?
    ... You are mistaken if you think your "secure", portknocking protected ssh ... open port. ... How many netfilter expoits that can successfully attack CLOSED PORTS ...
    (comp.os.linux.security)
  • Re: Enabling telnet, ftp, pop3 for root...
    ... I meant, in your words, 'secure enough'. ... Any script kiddie can attack vulnerabilities in your knockd (or whatever ... that's security by obscurity" When I was securing a port by SHUTTING ...
    (alt.os.linux)
  • Re: Enabling telnet, ftp, pop3 for root...
    ... I meant, in your words, 'secure enough'. ... attack your open port, I would not call your system "secure" in any ... Any script kiddie can attack vulnerabilities in your knockd (or whatever ... that's security by obscurity" When I was securing a port by SHUTTING ...
    (alt.os.linux)
  • Re: Enabling telnet, ftp, pop3 for root...
    ... the world can attack your open port, ... claim about how secure your system could be compared to a system ... Being able to attack something tells you nothing about the ... security by obscurity" When I was securing a port by SHUTTING IT ...
    (alt.os.linux)