[Catalyst] Re: Encrypt /Decrypt URI

[Joe Landman]

Daniel Hulme wrote:
> On Sat, May 19, 2007 at 12:24:07PM +0200, A. Pagaltzis wrote:
>> all you need. F.ex., it would be dumb to run sshd on a port other
>> than 22, hoping that no one finds it. But if you keep track of
> 
> Not really. I run sshd on my home box on a non-default port, because I
> was fed up of worms running their dictionaries of uname/password combos
> against it, eating my bandwidth and driving my loadavg up the wall. I

Pam_abl is your friend

http://www.hexten.net/wiki/index.php/Pam_abl


> keep the box up to date, and my password is non-trivial, so it's not my
> only defence, but it makes life easier for me.

nmap makes it easy to find open ports.  A script kiddie could run it.

If you want something that provides non-trivial "obscurity", look into 
port knocking.  You can make the "knocks" as complex as you wish (thus 
reducing the possibility of such things being triggered accidentally).

Then again, pam_abl, knocking, obscurity, etc, are passive defense 
postures.  The user of such technologies needs to understand that none 
of them by themselves will guarantee security.  In combination none will 
guarantee security.  But layered defenses give you time to deal with 
inbound attackers.  You can also employ active defensive postures if 
desired.  Regardless, for every bit of security, there is a compromise 
of that security. The trick is to engineer the compromises to be hard. 
Get enough layers of hard, and the target becomes harder to crack than 
others that don't.

It also helps to be unabashedly paranoid.  They are out to get you, and 
we have the log traces to prove it. :(

-- 
joe

landman at scalableinformatics.com
www.scalableinformatics.com