Vincent Danen grabbed a keyboard and wrote:
>
> On Sun Jul 28, 2002 at 10:17:41PM -0700, David Guntner wrote:
> >
> > I'm also going to make sure that my FTP server and sshd server are
> > listening to non-standard ports, to make it harder for someone to find an
> > access point.
>
> This is trivial. An nmap scan will give an attacker an idea within
> seconds of where these ports have been re-located. Security through
> obscurity is no security at all. You're better off to disable FTP if
> you don't need it, or if you do, configure your firewall to only allow
> connections from certain IPs. Likewise for ssh. If you're making it
> semi-public (ie. you need to be able to connect from
> previously-unknown IPs), you may as well leave them where they are and
> work on hardening other parts of your system. Putting FTP on port
> 2020 and SSH on port 4022 will only give you a false sense of
> security.
I aggee with you that security through obscurity is no security at all.
However, adding obscurity as a layer on top of existing security certainly
doesn't hurt anything. :-)
I would do as you suggest above, except for the fact that I have no way of
knowing what IP addresses I'm going to want to connect from when I'm
traveling away from home, and I have a few close friends that I've given
accounts to the machine on. They need to be able to access the system from
whatever IP their ISP gives them when they login. I do have sshd
configured to only honor protocol 2 connections, which I understand helps
quite a bit. FTP is needed sometimes, though not often enough that I'll
leave it open for now. File transfers *can* be done through ssh, and I'm
going to tell my friends that do access the system that if they want to
upload/download a file, they'd better get ssh clients that support file
transfer.
--Dave
--
David Guntner GEnie: Just say NO!
http://www.akaMail.com/pgpkey/davidg or key server
for PGP Public key
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
