| There's a number of things I disagree with in the article, but it does have a few good points. Here's what I disagree with and why: - Portknocking. I've found from experience that it's far better to allow SSH access (for example) from only known IP addresses. Portknocking is far too easy to beat and really doesn't impede much. - Non-standard ports. Sure if you're only interested in blocking bulk network scanners that limit themselves to known ports. Any manual scan or a solid in-depth scan is going to map every one of the lower 1024 ports, and possibly the rest depending on how interesting the target is. - The Tank camouflage example. It all sounds fine and dandy until a maintenance crew roam the desert for 10 days looking for a tank they can no longer see. Same with security and IT... obscurity leads to lots of wasted time when newer techs try to diagnose things that aren't as they seem, and are undocumented. Not only that, but the since the enemy know that the new armour requires a special ammunition to beat, they will just throw new ammo at everything that moves in case it is a tank. i.e. you're going to scan for hidden SSID's, your going to nmap every port, etc etc. Takes more time, but you still get in. - If there's a 0-day SSH vector, it's getting owned no matter which port it's on unless your security team are on top of patching. What if the new-hire that's told to go patch all the SSH servers accidentally misses the undocumented one that's running on port 24? It also doesn't matter if there's 10x more hits on port 22 than 24. All it takes is 1. It's that simple. I just don't think obscurity belongs in an environment where clarity matters so much. |
If you have to guess a random 3 port sequence in a 65k port space, how long will it take you to break? at 1 try of 3 ports per second I get almost 9 million years for exhaustive search.