Contributed by J. Webb on from the os-fingerprint-not dept.
poplix@papuasia.org has written up an interesting proof-of-concept for an alternative to port-knocking type solutions which basically employs PF's support of OSFP-based rulesets along with a userland util. for modifying IP header values etc. From writeup:"The idea is to use os fingerprints as a key. An user can invent a specific sequence of header values that will identify his fake os, add it to fingerprints database and use it in the firewall. The result is an OBSD machine that is totally stealth to port scans but the owner can log into it using his specific set of header values." Full details are here: http://tripp.dynalias.org/p0fspoof.txt
(Comments are closed)
By Alex Holst (80.160.149.62) on
Skilled attackers (who are able to find new bugs in your OS and running services) can get around something like this. Script kiddies can't get in unless the admin is completely incompetent.
So why bother?
If the log messages from script kiddes are bothering you, teach your log analyser to ignore those specific ones.
Comments
By Anonymous Coward (69.70.207.240) on
Comments
By Paladdin (213.97.233.52) on
Good security policy would never assume that a hacker will not sniff your packets -In fact, if he can, he will!-.
Defending from script kiddies with scripts-kiddies-like stuff is a nice game, but it makes no security at all.
By Anonymous Coward (208.38.59.80) on
By Anonymous Coward (129.215.16.39) on
http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-worth-up.pdf
This paper describes an implementation of port knocking that uses
the same principle behind one time passwords in order to render
sniffing "cleartext" knocking sequences useless.
By m0rf (68.104.17.51) on
By Anonymous Coward (68.106.232.57) on
Just because you can throw another thin film of plastic your "layers of security" doesn't mean it'll amount to a hill of beans when you're trying to protect your system. What happens the first time you send your secret fingerprint to the remote system? The packets can be captured and the fingerprint replayed. Game over.
Don't bother with this if you're interested in securing your system. It is a proof of concept. Clever, but of limited utility.
We've been around this carousel before with the locking down SSH bit. Don't run sshd on a different port of what you want is *security*. Tighten the reins on your sshd by implementing strong authentication. Firewall it if you can. Certainly rate limit connections so bruteforcing is more difficult. Don't think you're gaining anything by obfuscating. You don't understand the real threats, and you're misleading yourself. It works if you're trying to protect yourself from talentless kiddies. Why don't you do something that protects your system from knowledgeable attackers? Do that and you'll thwart the kiddies at the same time. Brilliant, really.
And if the noise in your logs irritates you, analyze your logs differently. /usr/bin/less isn't doing the trick for you.
Comments
By Anonymous Coward (69.70.207.240) on
Comments
By Anonymous Coward (206.132.94.6) on
Yes, they are out there. They're the ones who post responses to "helpes!!! i`m beinG hakced by lots of peoples!" with things like "use portknocking" or "run your_service_here on a different port" instead of things like "choose strong passwords and don't log in from untrusted locations" or "blow away password auth and use something that provides stronger authentication like s/key or pubkey".
The concept is best practice. Do something that has utility and doesn't hinder your normal way of getting in to the system unreasonably. Gidgets and gadgets and neat one-offs like this impose an unproportional amount of overhead to your setup compared to the miniscule amount of real-world "security" that they provide.
Comments
By Anonymous Coward (12.18.141.172) on
Comments
By Anonymous Coward (205.240.34.148) on
True, there is no real security through obscurity. But, obscurity and security can send a would be attacker in circles, frustrating his efforts, and tying up his resources. They even make software called "honeypots" just for this purpose.
It's all like putting up a fence around your yard. There are many people who can climb a fence, but not many will. Many people will move on just because you have the fence.
Essentially what you, and everyone else like you, is saying to those who try to bait, confuse, or otherwise mislead an attacker is that you don't need the fence when you have bars on the windows.
When it comes to security, every little bit helps.
By Anonymous Coward (128.171.90.200) on
By Evan Farrer (12.191.193.67) Evan.Farrer+obsd@gmail.com on http://www.cs.utah.edu/~farrer/