[SATLUG] Re: Questions about home server security: non-standard ports

David Kowis dkowis at shlrm.org
Thu Feb 21 13:50:23 CST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/15/2013 04:30 PM, Bruce Dubbs wrote:
> Frank Huddleston wrote:
>> Greetings,
>> 
>> Thanks for the suggestions about security on a home server. I
>> see that one thing people do is use non-standard ports. I have
>> done that myself, but get the feeling that it's just security 
>> through obfuscation and does nothing more than put a little
>> hurdle in the way of a cracker, and increases complexity. So what
>> do you think: is this worthwhile as a security measure?
> 
> In my mind, no.  Each service needs to be secured on it's own, but
> just changing the port number will not be a significant security
> measure. There are only 65K ports.  How long do you think it takes
> for a script to try them all?

There are ways to make that take longer as well.

using the TARPIT target is a great deal of fun. see:
http://xtables-addons.sourceforge.net/modules.php

Basically: it allows a TCP connection to establish, but always
responds with a window size of 0, which is the TCP equivalent of
putting a connection on hold.

This does open your router to a DDOS attack, in that it'll run out of
available memory to handle the connections, but that depends on the
resources of the server. In my use at home, I've never had that problem.

It sticks bots up really well, since they're generally not smart
enough to bail on their connections :)

- --
David

> 
> -- Bruce
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQGcBAEBAgAGBQJRJnp/AAoJEMnf+vRw63ObbXIL/17vr2DW4jq/LruPVG7QIaUN
eub0QufvQyhyoAzgPE83G3QMJtK9vtpOQ3/sJTSYaK3wIS8hE7WGTkayT4s8VwFD
z7j0Ieh0fSo3R4nOcQ98ckIlWOOU+V6eMEvCEZQqFt4yCvmGqJZz9DuWZNPuAFfr
IajX+KvRwib+Gb5AbUjhEtIUrdekPZxD0Zs1ZyP/rZY6PfTmwVyL09vqLkGMo+Do
OMYJxV5PbwpWy84yGNPlhUMTfpMyFzcnR6chjBvZ/vahXL2/p35LLLnLE9GbriVA
EuxJ3uUTmBZVjIX8FfXk39GtDNCFdia8dh2oVoEzIS86gA0OGkaQaEJXn2pKR5Vj
NQJVge7gRBiEN3pkE3T4bvpQn5CsvtzDmtxyDD3N+DBvGROpOB56+oUS0Pu0tSTC
eyzl9wpvg11/UtUFnPBtMPhgj0C0CGhIwabHO35S+6+Zz9ivUXqKs28ir4URcOL+
BCTSVtDQVSRJoSedi3dfxmebKyG/YPOcZ2rpPzq8QQ==
=mQ03
-----END PGP SIGNATURE-----


More information about the SATLUG mailing list