Broadband Tech > Security > Security > Security and Obscurity: Changing Daemon Ports

Security and Obscurity: Changing Daemon Ports

reply to Daniel
from the Wiki: "Security through obscurity, a controversial principle in security engineering which attempts to use secrecy to provide security"

When you really look up close, there is no security without obscurity. You are always counting on secrecy, on someone else not knowing something about your security. I know that isn't what is meant by security by obscurity, but it is really just an arbitrary definition.

A lock is only secure because someone else does not know the exact shape of your key. A password, no matter how long and random, is only secure because someone else does not know it. Pretty much all software has vulnerabilities. Your security software and your daemons are only secure because someone else does not know all of the vulnerabilities.

Most experts today say that there is no such thing as security that can't be penetrated by someone with the right skills and enough time. If you agree with that, then all security is just obscuring things enough to make the time required or skills required too great for your system to be likely to be penetrated. Changing standard ports adds time to a penetration attempt, therefore it adds security. Probably only a tiny amount, but that's what layers are all about.

Plus it might keep some script kiddie that got his hands on some good code from getting lucky on your system.

reply to Daniel
I agree, and have often mentioned that this is a relatively simple action that can foil the thousands of automated attacks that scan default ports as well as the CSRF scripts you've brought to our attention. All I would have to to to render those ineffective would be to change the admin http default port 80 to something else.

Of course it's not by any means a silver bullet, and would not by itself stop a targeted infiltration by a reasonably skilled intruder. But, it can be useful and effective against those common automated scanners that fill our logs daily. When I examine my logs, I find once those auto-bots have scanned the default IP/service port(s), they rarely if ever hang around to see if they can find nonstandard configs. They automatically move on to capture low hanging fruit.

I'd choose a random high number port myself. For example instead of port 22, why not 28742 or 54819 or other? Many ports aren't used by common applications and random ports would work fine. A quick look at ISC's port data indicates they only see 3-6 a day on those two ports and I'm sure the same would apply for most in the ephemeral/nonstandard range.

Quite frankly, I believe "security by obscurity" is a buzzwordphrase. What you're proposing is changing defaults, and not relying on this as your only means of protection. As for raising your security, I'd correct that to say you reduce your exposure.
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... )

reply to Daniel
Anything one can do to limit the attack surface can help. If you feel comfortable in Changing Daemon because you have weak layered Security..then go for it. But it does naught for the real issue.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/

reply to Cabal

reply to EGeezer

reply to Name Game

reply to Daniel
I didn't write that properly or completely, thanks for pointing that out. I should have followed with a statement that reduced exposure is a valid security measure. I do continue to maintain changing defaults is primarily a reduction in exposure, which is, as you pointed out, a valid component of security implementation. I'm thinking in terms of component nomenclature.

Rambling on now,

My logs bear out that once these auto-bots scan the standard port and get no response from it, they don't come back to attempt further exploits related to the standard port. At that point I've avoided a "second look" by the autobot or at the minimum, avoided having my IP logged as "interesting" and recorded for further scans on other common service ports.

Thus, we've thwarted a large number of common attempts (Based on the logs I review) at the initial attack stage by simply changing ports. If there would be other more personalized attempts, there would be more hurdles to overcome.

As for being a real issue, my experience in my little circle bears out that autobots are real issues, and reducing exposure is one valid step in dealing with them.

--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... )

reply to Daniel
I operate several http and ftp servers, some on standard ports and some on non-standard ports. The non-standard port servers are not subjected to the cgi/php hack attempts or brute force password attacks that I see daily on the standard port services.

The main reason I operate the non-standard port servers is that those particular servers are not intended for access by the general public, and also because I am too cheap to spend the money for the additional IPv4 addresses. The clean log entries do however attest to at least some additional security by using non-standard ports.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall.

reply to Daniel
It depends on the operating premise you're working from. If you start with the premise that there is no foolproof method of being completely secure, then yes, using non-standard ports will lower the risk. However, I don't think that is the premise most people operate under. In other words, it is not so much a question of whether someone can find me that I put my trust in, but what methods of protection I will use if and when they do. So, unless I can guarantee that no one will locate me, which changing ports will not do, I will continue to define my real security by the means I use when they do. This is not to say that using non-standard ports is not a good idea. Only that I don't agree that doing so adds security in the sense of real protection.

--
Woe unto them that call evil good, and good evil; that put darkness for light, and light for darkness. . . Isa. 5:20

reply to Daniel
Rambling on..not caring how gentle the OP feels the need to be as he once again shows up promoting his blog..and now with warnings no less.. and personal ones at best.

Logs are fun to look at..but they do not indicate a compromise unless you let 'them' in the door.

I have no idea what layered security you do have on your system..but I do not consider moving a common port as a 'layer' of Security.

Grasping your concept is not the problem..knowing that it will not gain you any high ground in the long run is.

An exploit is not a compromise...unless you ARE vulnerable.

BTW..have you convinced the world to use port knocking yet ??

This might help in your 'closed door' discussion in this thread.
»www.linuxsecurity.com/content/view/133312/2/

--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/

reply to Snowy

reply to Daniel
The strength of any security scheme at any given point in time can be rendered either as the probability of it being broken in a unit of time, or else as the amount of time required to assure the probability of breaking the system approaches unity. As time passes and technology changes, the strength of most security schemes will deteriorate... a sort of law of entropy. (There are some schemes in cryptography with re-entrant solutions that defy this, since attempts to crack the cipher-text eventually result in multiple intelligible plaintext solutions, only one of which is 'correct'.) In any case, the protection objective is to push the probability of breaking a security scheme down to the vanishing point - or in reality, as near to it as is deemed "sufficient" for purposes of the protection sought. Hence if a message or system must have a secure lifetime of 5 years, a protection scheme that provides a 10,000-year anti-cracking probability will likely be sufficient for anything short of direct compromise, even if technology advances push that down to 1,000 years during the required 5-year secure lifetime.

The point is that anything which reduces the probability of breaking the system, increases its security. Anything that pushes out in time the likelihood of breaking the system, increases its security. Thus properly secured layers increase overall system security compared with any one layer's individual security. Adding a meaningful obscurity layer decreases the probability of breaking the system in any unit of time... or it pushes the likelihood of breaking further out in time. Thus it increases the overall system security. The question is how much of an increase is obtained by what kinds of obscurity... and how stable are the results. Choosing a non-standard port could conceivably decrease penetration probability by 60,000:1 with things as they now are technically. In practical terms, that matters a lot if the inherent penetrability of a system is already around a 1-year point or more, due to other security measures... but it matters little if the inherent penetrability of the system is only 1-minute or so due to weak or non-existing other security layers.

On the other hand, if such an obscurity process became widely used and attackers began intentionally hitting it routinely and in-depth using tweaked auto-bots, the security improvements it originally offered could fall dramatically... perhaps to only a few:1. At root, obscurity as a meaningful improvement to security-strength relies on... remaining obscure. Which is, of course, its unique Achilles heel, compared with ordinary security layers.

But as long as something remains a meaningfully obscure technique, its contribution to overall security as part of a layered system will be finite and real.

edit: clarity - para 1
--
If God wanted us to work with electrons, He'd make them big enough to see...

reply to Name Game

said by Name Game:

Rambling on..not caring how gentle the OP feels the need to be as he once again shows up promoting his blog..and now with warnings no less.. and personal ones at best.

reply to Daniel
NameGame,

Let me ask you this: what about invisible tanks? Would having a tank that could turn invisible increase its security? According to you it would not since it can still be hit with a random shot, i.e. it's still just as vulnerable were it to be hit. Do you or do you not see how foolish it is, however, to say that the tank being invisible would not help it stay alive longer?

Same concept here. In both the tank and the non-standard listener scenarios the attacks are being sent elsewhere! We're using an avoidance technique to keep from being targeted.

[Edit: Oh, and by the way, stealth fighters and bombers still blow up if you hit them hard enough, but they work because they get hit less. Is any of this sinking in?]

--
dmiessler.com -- grep understanding knowledge

I am not an advocate of stealth unless you can stealth every port and become totally invisible on the net..none of this "I am just not home today stuff" but rather the house is not even there. No footprint.

BTW tanks go on the attack..they are not defensive weapons but rather an offensive.

A fighter is only stealth because of it's footprint and SURFACES. And because the frequency and detection capability of your enemies radar is such they appear invisible.

It worked 10 years ago..does not work today..in fact we are even past ECCM. the new EW tactics would astound you.

You do not have to hit a fighter or bomber "hard enough with anything" just give them something to fly into.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/