Re: [?] DYNDNS host vulnerability
- From: david <none@xxxxxxxxxx>
- Date: 23 Feb 2008 10:54:27 GMT
On Sat, 23 Feb 2008 00:16:36 +0100, Fr@nk Stef@ni rearranged some
electrons to say:
Andy Ruddock schrieb:
Fr@nk Stef@ni wrote:
Hello all,
it's convenient to use a DYNDNS domain name like myhost.dyndns.org. I
guess, though, that the host myhost.dyndns.org would be much more
vulnerable as for crackers there is no need to watch out for a dynamic
IP that changes every day (at least in Germany).
Background: Every now and then I do some administration on a server of
a friend via
name@xxxxxxxxxxx
It would be nice to do this instead via
name@xxxxxxxxxxxxxxxxxxxxxxx
so there would be no need to let me know which dynamic IP his router
currently uses. This is what DYNDNS is supposed to do. Nevertheless,
if a cracker tries to crack into a host, he would be happy not to care
for dynamic IPs. Rather he would be happy to rework on
"friends_host.dyndns.org" without caring for IP changes.
Am I correct or did I miss something?
If I were correct, weak login names and passwords would be no problem,
even with ssh - right?
Thanks and regards,
Frank
What you're doing here is relying on security through obscurity - the
obscurity being that an attacker would be unable to follow your
changing IP from one day to the next, and hoping that he's unable to
break in during the 24hour timeframe until your IP changes.
Are you sure your IP will change once a day? Is it a policy set by the
ISP? It may change, if you're relying on a variable IP and it suddenly
becomes more or less static how long before you find out?
(My IP address is theoretically dynamic, but reading the documentation
available from my ISP it appears that the IP address is linked to my
router, I've had the same IP address for over six months now.)
Make sure your passwords are strong and your software is up to date,
monitor your log files. If your friend only needs to allow access now
and again it may be better to only run the ssh daemon when you need
access - a quick phone call to get him/her to start the ssh server.
What we currently do, is exatly that. The routers firewall has all ports
closed and SSH port is always manually activation after a phone call.
My eyes opened up wide when I realized that the whole systems security
relies on a single strong password - though we have firewall and crypted
SSH. I guess, many systems worldwide are wide, wide open in this
respect....
Frank
dyndns.org has nothing to do with the security of your system.
It's up to YOU to secure your system.
http://tldp.org/HOWTO/Security-Quickstart-HOWTO/index.html
http://tldp.org/HOWTO/Security-HOWTO/index.html
.
- References:
- [?] DYNDNS host vulnerability
- From: Fr@nk Stef@ni
- Re: [?] DYNDNS host vulnerability
- From: Andy Ruddock
- Re: [?] DYNDNS host vulnerability
- From: Fr@nk Stef@ni
- [?] DYNDNS host vulnerability
- Prev by Date: Re: Token Ring and Linux (See message for details.)
- Next by Date: Re: [?] DYNDNS host vulnerability
- Previous by thread: Re: [?] DYNDNS host vulnerability
- Next by thread: Re: [?] DYNDNS host vulnerability
- Index(es):
Relevant Pages
|
