[rescue] A perverse thought (SGI security division)

Thomas Gallaway rescue at port11.net
Thu Mar 11 15:49:07 CST 2004

How about just changing the port of ssh to something high up where 
scriptkiddies wont look.
All this is good and fine but why even bother getting a scriptkiddie 
mad? What if they unwrap
thir full extend of DDos machines they have in their arsenal onto your IP?

Then again I run sshd on my home machine on cable since a while now and 
I get those scans
all the time. I just keep my ssh up to date. If you can not keep that 
ssh up to date why not
put up some freebsd machine that you can keep ssh up to date, then just 
ssh into that machine
and from there you can access all your other machines on the internal lan?

There are allready firewalls that will actually analyze the traffic and 
if there is an attack going on
to for example port 80 then they will divert that traffic to a honeypot 
machine. So all the legit
traffic goes to the legit webserver, and once an machine tries to attack 
that machine the traffic
get's diverted to a honeypot.   http://violating.us/projects/baitnswitch/

-- Thomas

Sheldon T. Hall wrote:

> Caleb Shay suggests ...
>>How about this:
>>1. Unauthorized connection logged
>>2. SGI tells firewall to add a tarpit on all ports for offending IP
>>3. Script kiddie now gets uncloseable sockets when they try to ssh in
>>4. Potentially they get uncloseable sockets during the portscan
>>depending on how fast the rules get updated. The portscan never
>>finishes AND it likely forces them to reboot to free up the sockets
>>No fiddling with stopping/restarting sshd/inetd and keeping valid
>>users from connecting.
>>Handles case where somebody runs a ip/portscan all night and then
>>tries to connect to anything interesting it found in the morning.  You
>>never need to remove the tarpit rules.
>>Script kiddie's scanner now hangs the next time they scan your machine
>Yeah, I like that even better!
>I just have to get a better firewall than a "DSL router" to implement that
>sort of thing!
>Hmmm.  That brings up another idea ... what if the "standard" response for a
>closed port was a fake "open" response?  I.e. if port 23 on every IP address
>on the planet replied with
>	login:
>and just ignored the input, port-scanning pimply-faced script-kiddies would
>find the going a lot tougher.  Looking for an open port, instead of being
>like looking for a needle in a haystack, would be like looking for a
>curare-dipped needle in a needle factory: it would take some work to know if
>the one you found was the one you wanted.

More information about the rescue mailing list