Re: Failed attempts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 11/27/2017 02:02 PM, m.roth@xxxxxxxxx wrote:
Pete Biggs wrote:
   - don't run ssh on 22, use a different port.
I consider that pointless security-through-obscurity.
Security through obscurity it may be, but it isn't pointless. Tarpits are in a similar class; they don't help with security in the absolute sense, but they slow the attacker down, and that might be enough to prevent the attack from continuing.  (that is, put a tarpit on port 22 and run the real ssh elsewhere!)  Any and all stumblingblocks you can put in the attacker's way, whether they're 'real' security or not, are worth at least looking at and evaluating their usefulness.  Port knocking is an extreme form of security through obscurity, in reality, and falls into this class of tools. Likewise fail2ban; all it really does is slow down the attacker.
No, obscurity-increasing tools will not stop the determined attacker, 
but, it is very true that these sorts of measures can and do increase 
the signal-to-noise ratio in your logs; what does get logged will likely 
be much more useful and indicative of a more determined attacker.  
Anything that substantially increases the log's signal to noise is 
useful and not pointless, in my opinion. Anything that slows down the 
attack is even more useful.
I actually have training as a locksmith, with a specialty in 
masterkeying systems like rotating-constant and some obscure variations 
of RCM (this is one of the two masterkey systems explored in the 
infamous (in locksmith circles) paper "Cryptology and Physical Security: 
Rights Amplification in Master-Keyed Mechanical Locks" by Matt Blaze [1] 
[2]).
In physical security all security is, in reality, through obscurity [3] 
(page 2, first paragraph): things like keeping the drill points secret 
(example: in a pin-tumbler lock, if you can drill the shear line, you 
are in; but what if you have extra pins and hidden shear lines?), 
keeping secret what materials are used for the hardplate and their 
interactions with commonly-available drill-bit materials [4], having a 
strategically placed and hidden tear gas vial [5], etc (all of this 
information is publicly available; I'm not spilling any real locksmith 
secrets here).
The real key to effective physical security is not keeping the attacker 
out in an absolute, 'can't possibly break in' sense, but buying time for 
response to the attack; as the attack continues to eat time, the 
attacker will have increasing incentive to leave the premises.
Now, if you want a real eye-opener about physical security, grab a copy 
of "OPEN IN THIRTY SECONDS" from Amazon [6].  That and the key 
reference, Marc Weber Tobias' LSS (Locks, Safes, and Security [7]) are 
fascinating (if expensive) reading and great resources for the syadmin 
who wants to dig into what is really meant by a security mindset.
[1]: http://www.crypto.com/papers/mk.pdf
[2]: http://www.crypto.com/masterkey.html
[3]: http://www.crypto.com/papers/safelocks.pdf
[4]: https://reassembler.wordpress.com/2008/02/04/drilling-into-a-modern-safe/
[5]: http://www.lockpicking101.com/viewtopic.php?f=8&t=16891
[6]: https://www.amazon.com/OPEN-THIRTY-SECONDS-Cracking-America/dp/0975947923 [7]: https://www.amazon.com/Locks-Safes-Security-International-Reference/dp/0398070792
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux