[NBLUG/talk] I'm getting ssh scanned! Should I be worried?

[Augie Schwer]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 4 Oct 2004 13:25:32 -0700, troy <fryman at sonic.net> wrote:
> I have a php script whose name is hopefully tough to guess sitting on my
> webserver.  Its purpose is to write out a file with the ip address of
> the person who hits that page.  Then, in /etc/hosts.allow I have:
> sshd: 192.168.9.  #and so on, for ip's that I trust.
> sshd: /path/to/ip.txt

Troy,

While it is unlikely; anyone paying attention (and sniffing the wire) would
be able to figure out what was going on and add them selves to the list.

This seems to be akin to "Port Knocking" and security through obscurity.

Plus it doesn't look like you are removing old entries. So once you surf
to your secret page and add your IP it stays there until you surf to it again
and add another IP. So in the mean time the IP is a "good" IP.

All an attacker would have to do is spoof or obtain the good IP during 
your session or after you are done and they are allowed SSH access.

Like I said it is all very unlikely, but I would advise caution when trusting
security through obscurity.

Augie.

P.S., I know Troy, and I know he is a bad ass, so none of the above is
meant as any kind of personal attack; just an intellectual discussion.


- -- 
Registered Linux user #229905
GPG Public Key: http://www.schwer.us/schwer.asc
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBZbEBy5knhCewwHIRAmPlAJ95kC+urvry/OhtqbUjUP8RaJEu9wCfYGCe
GvtJZAEwdI01WrvlLRt1+FE=
=glWP
-----END PGP SIGNATURE-----