[SATLUG] Why are my ports 135,139,and 445 open?

Henry Pugsley henry.pugsley at gmail.com
Sat Dec 26 12:17:52 CST 2009


On Sat, Dec 26, 2009 at 12:08 PM, Don Davis <dondavis at reglue.org> wrote:
>> The only time I use DROPs on my system is during a DoS attack, because
>> it makes the attacker think that the system is offline, giving the
>> appearance of a successful attack :)
>
> What about TARPIT?
>
> What do you think of changing the SSH banner after moving SSH to listen on a
> non-standard port?
>

Tarpits are useful when you have a service that you can't hide (like
SMTP) and you want to slow down malicious users and still allow
legitimate users to connect.  If you can spot an attack signature and
make the connection hang, it keeps the attacker online longer and
slows down their retry rate.

I never saw the need to change an SSH banner except when working for
federal or state agencies, or hospitals that require some kind of
security warning.  I don't think it changes the method or degree of
prosecution if someone breaks into a private system, regardless of
banner.  It's kind of like putting a sign on a locked door "Don't
break in here", because it's fairly obvious that you're not supposed
to break in ..

-Henry


More information about the SATLUG mailing list