On Mon Jul 29, 2002 at 07:56:32PM -0700, David Guntner wrote: > > > I'm also going to make sure that my FTP server and sshd server are > > > listening to non-standard ports, to make it harder for someone to find an > > > access point. > > > > This is trivial. An nmap scan will give an attacker an idea within > > seconds of where these ports have been re-located. Security through > > obscurity is no security at all. You're better off to disable FTP if > > you don't need it, or if you do, configure your firewall to only allow > > connections from certain IPs. Likewise for ssh. If you're making it > > semi-public (ie. you need to be able to connect from > > previously-unknown IPs), you may as well leave them where they are and > > work on hardening other parts of your system. Putting FTP on port > > 2020 and SSH on port 4022 will only give you a false sense of > > security. > > I aggee with you that security through obscurity is no security at all. > However, adding obscurity as a layer on top of existing security certainly > doesn't hurt anything. :-)
It doesn't, but it also doesn't really accomplish anything except add an extra layer of complexity to your own life. =) > I would do as you suggest above, except for the fact that I have no way of > knowing what IP addresses I'm going to want to connect from when I'm > traveling away from home, and I have a few close friends that I've given > accounts to the machine on. They need to be able to access the system from > whatever IP their ISP gives them when they login. I do have sshd > configured to only honor protocol 2 connections, which I understand helps > quite a bit. FTP is needed sometimes, though not often enough that I'll > leave it open for now. File transfers *can* be done through ssh, and I'm > going to tell my friends that do access the system that if they want to > upload/download a file, they'd better get ssh clients that support file > transfer. My suggestions: Disable FTP. Use scp or sftp. Protocol2 is a good start, but enforce key-based logins only (ie. disable password authentication). This way no one can attempt to brute force your system, they have to have a key, and know it's passphrase, in order to get in. That's how I have my systems setup. I find it a lot more reliable. And putty, for instance, can do both keys and scp (although I'm not sure if it can do V2 keys with the latest versions of openssh, it may only be able to do V1). -- MandrakeSoft Security; http://www.mandrakesecure.net/ "lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import" {GnuPG: 1024D/FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
msg56665/pgp00000.pgp
Description: PGP signature
