Question about visibility

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

Question about visibility

Andrew Hardy

I realise this is not specifically a BIND/DNS question and a bit off
topic so please ignore if need be I realise people are often very busy.

If you you have a website but the host IP you do not list with any
domain name in DNS, is it definite that this site could never be reached
via Google.  I do not really know the nuts and bolts of how Google gets
access to pages.

If for 'some particular reason' instead of developing a site on a local
dev machine on your LAN and then uploading/installing the site to a
remote server, you needed 'for what ever reason' to do the development
and testing on the final live host accessing it via the ip address,
would this be a way to be 'almost certain' of keeping it hidden from
unwanted accidental exposure?

Thanks.


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Question about visibility

Warren Kumari


On Thu, Oct 11, 2018 at 1:26 PM Admin Hardy <[hidden email]> wrote:

I realise this is not specifically a BIND/DNS question and a bit off
topic so please ignore if need be I realise people are often very busy.

If you you have a website but the host IP you do not list with any
domain name in DNS, is it definite that this site could never be reached
via Google.  I do not really know the nuts and bolts of how Google gets
access to pages.

If for 'some particular reason' instead of developing a site on a local
dev machine on your LAN and then uploading/installing the site to a
remote server, you needed 'for what ever reason' to do the development
and testing on the final live host accessing it via the ip address,
would this be a way to be 'almost certain' of keeping it hidden from
unwanted accidental exposure?


Nope. It is somewhat less likely that it would be discovered / accidentally exposed, but it is *far* from certain.

If you were wanting to do something like this, I'd suggest having a DNS name (because that makes it easier), but firewalling it off so that only "authorized" people can reach it. This could be something like iptables, a VPN, or, more likely / less annoying, simply having your webserver require a login to access the content...

W


 
Thanks.


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users


--
I don't think the execution is relevant when it was obviously a bad idea in the first place.
This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.
   ---maf

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Question about visibility

Sten Carlsen
In reply to this post by Andrew Hardy
I have done this some time ago, I made sure that there was no link from any pages to the new site, Google stayed away until somebody typed the address into the search field, then it was known.

This is no guarantee of course as mentioned in other place but it worked for about 6 months.

On 11/10/2018 13.26, Admin Hardy wrote:

I realise this is not specifically a BIND/DNS question and a bit off topic so please ignore if need be I realise people are often very busy.

If you you have a website but the host IP you do not list with any domain name in DNS, is it definite that this site could never be reached via Google.  I do not really know the nuts and bolts of how Google gets access to pages.

If for 'some particular reason' instead of developing a site on a local dev machine on your LAN and then uploading/installing the site to a remote server, you needed 'for what ever reason' to do the development and testing on the final live host accessing it via the ip address, would this be a way to be 'almost certain' of keeping it hidden from unwanted accidental exposure?

Thanks.


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Question about visibility

Hardy, Andrew
Ok I'm a bit confused.  I have some questions re last post, copied below:

I have done this some time ago, I made sure that there was no link from any pages to the new site, 
** So the new site (in development) would have no domain name mapped in DNS, so it seems unlikely that other sites and pages would have links to http://x.x.x.x unless the developer put it there.

Google stayed away until somebody typed the address
** You mean typed the IP address? You mean in an actual Google search string?

 into the search field, then it was known.
** So typing the host IP address as a Google search string would (ultimately) in time lead to a Google search string, that could be found on the sites web pages, listing pages from the site?

This is no guarantee of course as mentioned in other place but it worked for about 6 months.
** Ok, so even if you don't formally register / index (or what ever it is) your site on Google, if you use it's IP in a search string, given time it could show up in searches using text that's on its pages?


Just to say thank you so much for people commenting.  I do appreciate you taking the time.



On Thu, Oct 11, 2018, 14:50 Sten Carlsen <[hidden email]> wrote:
I have done this some time ago, I made sure that there was no link from any pages to the new site, Google stayed away until somebody typed the address into the search field, then it was known.

This is no guarantee of course as mentioned in other place but it worked for about 6 months.

On 11/10/2018 13.26, Admin Hardy wrote:

I realise this is not specifically a BIND/DNS question and a bit off topic so please ignore if need be I realise people are often very busy.

If you you have a website but the host IP you do not list with any domain name in DNS, is it definite that this site could never be reached via Google.  I do not really know the nuts and bolts of how Google gets access to pages.

If for 'some particular reason' instead of developing a site on a local dev machine on your LAN and then uploading/installing the site to a remote server, you needed 'for what ever reason' to do the development and testing on the final live host accessing it via the ip address, would this be a way to be 'almost certain' of keeping it hidden from unwanted accidental exposure?

Thanks.


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Question about visibility

Sten Carlsen
Please see below.

On 11/10/2018 18.13, Hardy, Andrew wrote:
Ok I'm a bit confused.  I have some questions re last post, copied below:

I have done this some time ago, I made sure that there was no link from any pages to the new site, 
** So the new site (in development) would have no domain name mapped in DNS, so it seems unlikely that other sites and pages would have links to http://x.x.x.x unless the developer put it there.
Actually I had DNS for this.

Google stayed away until somebody typed the address
** You mean typed the IP address? You mean in an actual Google search string?
Something in a search string, if this has the address visits from the bots are next to come. My experience for this and some other cases.

 into the search field, then it was known.
** So typing the host IP address as a Google search string would (ultimately) in time lead to a Google search string, that could be found on the sites web pages, listing pages from the site?
This is my experience. I did this when I wanted the site to be known to the world.

This is no guarantee of course as mentioned in other place but it worked for about 6 months.
** Ok, so even if you don't formally register / index (or what ever it is) your site on Google, if you use it's IP in a search string, given time it could show up in searches using text that's on its pages?
Time in this case is days or less.

There are also bots that search random IP addresses for content, the only way to keep those away that I know of is to have a welcome page in http://xx.xx/index.html and using e.g. http://xx.xx/test/mynewsite/index.html for my test site.
Bots will find the welcome page and if that does not have a link to my mynewsite, they do not know that there is something to look at.
This has worked for me as well for quite some time, again if it hits a search in any search engine, you're done.


Just to say thank you so much for people commenting.  I do appreciate you taking the time.
You're welcome.



On Thu, Oct 11, 2018, 14:50 Sten Carlsen <[hidden email]> wrote:
I have done this some time ago, I made sure that there was no link from any pages to the new site, Google stayed away until somebody typed the address into the search field, then it was known.

This is no guarantee of course as mentioned in other place but it worked for about 6 months.

On 11/10/2018 13.26, Admin Hardy wrote:

I realise this is not specifically a BIND/DNS question and a bit off topic so please ignore if need be I realise people are often very busy.

If you you have a website but the host IP you do not list with any domain name in DNS, is it definite that this site could never be reached via Google.  I do not really know the nuts and bolts of how Google gets access to pages.

If for 'some particular reason' instead of developing a site on a local dev machine on your LAN and then uploading/installing the site to a remote server, you needed 'for what ever reason' to do the development and testing on the final live host accessing it via the ip address, would this be a way to be 'almost certain' of keeping it hidden from unwanted accidental exposure?

Thanks.


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Question about visibility

Barry Margolin
In reply to this post by Andrew Hardy
In article <[hidden email]>,
 Admin Hardy <[hidden email]> wrote:

> I realise this is not specifically a BIND/DNS question and a bit off
> topic so please ignore if need be I realise people are often very busy.
>
> If you you have a website but the host IP you do not list with any
> domain name in DNS, is it definite that this site could never be reached
> via Google.  I do not really know the nuts and bolts of how Google gets
> access to pages.
>
> If for 'some particular reason' instead of developing a site on a local
> dev machine on your LAN and then uploading/installing the site to a
> remote server, you needed 'for what ever reason' to do the development
> and testing on the final live host accessing it via the ip address,
> would this be a way to be 'almost certain' of keeping it hidden from
> unwanted accidental exposure?
If you accidentally, or someone else intentionally, create a link to the
site that uses the IP and put it on a web page that Google can get to,
it will probably find the page.

--
Barry Margolin
Arlington, MA

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Question about visibility

Leonardo Rodrigues
Em 11/10/18 16:13, Barry Margolin escreveu:
>
> If you accidentally, or someone else intentionally, create a link to the
> site that uses the IP and put it on a web page that Google can get to,
> it will probably find the page.
>
>

     robots.txt, on your website root, is your friend. Simply deny web
crawling on it, and you're (probably) done.



--


        Atenciosamente / Sincerily,
        Leonardo Rodrigues
        Solutti Tecnologia
        http://www.solutti.com.br

        Minha armadilha de SPAM, NÃO mandem email
        [hidden email]
        My SPAMTRAP, do not email it



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Question about visibility

Dennis Clarke
On 10/11/2018 03:21 PM, Leonardo Rodrigues wrote:

> Em 11/10/18 16:13, Barry Margolin escreveu:
>>
>> If you accidentally, or someone else intentionally, create a link to the
>> site that uses the IP and put it on a web page that Google can get to,
>> it will probably find the page.
>>
>>
>
>      robots.txt, on your website root, is your friend. Simply deny web
> crawling on it, and you're (probably) done.
>

If you believe robots.txt means anything at all.

Dennis

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Question about visibility

Barry Margolin
In article <[hidden email]>,
 Dennis Clarke <[hidden email]> wrote:

> On 10/11/2018 03:21 PM, Leonardo Rodrigues wrote:
> > Em 11/10/18 16:13, Barry Margolin escreveu:
> >>
> >> If you accidentally, or someone else intentionally, create a link to the
> >> site that uses the IP and put it on a web page that Google can get to,
> >> it will probably find the page.
> >>
> >>
> >
> >  Â Â Â  robots.txt, on your website root, is your friend. Simply deny web
> > crawling on it, and you're (probably) done.
> >
>
> If you believe robots.txt means anything at all.
Google is known to obey it, and the question was about avoiding getting
your site indexed by Google.

Of course, that doesn't mean someone won't find the site on their own.
If the link to it is on some other page that isn't blocked by
robots.txt, someone might stuble across that page and then click on the
link.

But if you're mainly worried about someone googling the words that are
on your website and Google sending them to the development version
instead of the production version, you're pretty safe.

Actually, DNS has very little impact on this at all. AFAIK, Google
doesn't crawl DNS, it just crawls web pages and follows links. My
company's development server is in DNS, and it's not firewalled (we all
work from our homes, there's no company network to restrict access
with), but I've never heard of anyone accidentally being directed there
by Google, because we don't publish links to this server.

--
Barry Margolin
Arlington, MA

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Question about visibility

N6Ghost
On Thu, 11 Oct 2018 15:39:55 -0400
Barry Margolin <[hidden email]> wrote:

> In article <[hidden email]>,
>  Dennis Clarke <[hidden email]> wrote:
>
> > On 10/11/2018 03:21 PM, Leonardo Rodrigues wrote:  
> > > Em 11/10/18 16:13, Barry Margolin escreveu:  
> > >>
> > >> If you accidentally, or someone else intentionally, create a
> > >> link to the site that uses the IP and put it on a web page that
> > >> Google can get to, it will probably find the page.
> > >>
> > >>  
> > >
> > >      robots.txt, on your website root, is your friend. Simply
> > > deny web crawling on it, and you're (probably) done.
> > >  
> >
> > If you believe robots.txt means anything at all.  
>
> Google is known to obey it, and the question was about avoiding
> getting your site indexed by Google.
>
> Of course, that doesn't mean someone won't find the site on their
> own. If the link to it is on some other page that isn't blocked by
> robots.txt, someone might stuble across that page and then click on
> the link.
>
> But if you're mainly worried about someone googling the words that
> are on your website and Google sending them to the development
> version instead of the production version, you're pretty safe.
>
> Actually, DNS has very little impact on this at all. AFAIK, Google
> doesn't crawl DNS, it just crawls web pages and follows links. My
> company's development server is in DNS, and it's not firewalled (we
> all work from our homes, there's no company network to restrict
> access with), but I've never heard of anyone accidentally being
> directed there by Google, because we don't publish links to this
> server.
>

robot.txt is suppose to govern whats indexed... not sure how well its
followed nowadays but thats the process for it.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Question about visibility

Hardy, Andrew
Further to the original post, as well as not creating a DNS record and "possibly" adding robot.txt with appropriate content, as discussed, I presume that if I run the http server on a personally selected unprivileged port then it is very "unlikely" the site pages will be indexed/discovered/etc surely?

Thoughts?

Thanks.


On Sun, Oct 21, 2018, 20:32 N6ghost <[hidden email]> wrote:
On Thu, 11 Oct 2018 15:39:55 -0400
Barry Margolin <[hidden email]> wrote:

> In article <[hidden email]>,
>  Dennis Clarke <[hidden email]> wrote:
>
> > On 10/11/2018 03:21 PM, Leonardo Rodrigues wrote: 
> > > Em 11/10/18 16:13, Barry Margolin escreveu: 
> > >>
> > >> If you accidentally, or someone else intentionally, create a
> > >> link to the site that uses the IP and put it on a web page that
> > >> Google can get to, it will probably find the page.
> > >>
> > >> 
> > >
> > >      robots.txt, on your website root, is your friend. Simply
> > > deny web crawling on it, and you're (probably) done.
> > >   
> >
> > If you believe robots.txt means anything at all. 
>
> Google is known to obey it, and the question was about avoiding
> getting your site indexed by Google.
>
> Of course, that doesn't mean someone won't find the site on their
> own. If the link to it is on some other page that isn't blocked by
> robots.txt, someone might stuble across that page and then click on
> the link.
>
> But if you're mainly worried about someone googling the words that
> are on your website and Google sending them to the development
> version instead of the production version, you're pretty safe.
>
> Actually, DNS has very little impact on this at all. AFAIK, Google
> doesn't crawl DNS, it just crawls web pages and follows links. My
> company's development server is in DNS, and it's not firewalled (we
> all work from our homes, there's no company network to restrict
> access with), but I've never heard of anyone accidentally being
> directed there by Google, because we don't publish links to this
> server.
>

robot.txt is suppose to govern whats indexed... not sure how well its
followed nowadays but thats the process for it.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Question about visibility

Bind-Users forum mailing list
In reply to this post by Andrew Hardy
Hi there,

On Wed, 24 Oct 2018, Hardy, Andrew wrote:

> Further to the original post, as well as not creating a DNS record
> and "possibly" adding robot.txt with appropriate content, as
> discussed, I presume that if I run the http server on a personally
> selected unprivileged port then it is very "unlikely" the site pages
> will be indexed/discovered/etc surely?
>
> Thoughts?

A server on a non-standard port is often neglected.  Its security may
be less well maintained than one that is intentionally public.

That's just the sort of thing that criminals are looking for.  They'll
probably find it, and then they'll attack it.

--

73,
Ged.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Question about visibility

Timothy Metzinger
There's no security in obscurity.  Automated port scanners will sweep your system in a couple of seconds.

Tim Metzinger

From: bind-users <[hidden email]> on behalf of G.W. Haywood via bind-users <[hidden email]>
Sent: Wednesday, October 24, 2018 12:15:10 PM
Subject: Re: Question about visibility
 
Hi there,

On Wed, 24 Oct 2018, Hardy, Andrew wrote:

> Further to the original post, as well as not creating a DNS record
> and "possibly" adding robot.txt with appropriate content, as
> discussed, I presume that if I run the http server on a personally
> selected unprivileged port then it is very "unlikely" the site pages
> will be indexed/discovered/etc surely?
>
> Thoughts?

A server on a non-standard port is often neglected.  Its security may
be less well maintained than one that is intentionally public.

That's just the sort of thing that criminals are looking for.  They'll
probably find it, and then they'll attack it.

--

73,
Ged.
_______________________________________________
bind-users mailing list
Tim Metzinger
703.963.3015


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Question about visibility

Paul Kosinski-2
Maybe port scanners will find open ports pretty quickly, but I've found
that using non-standard ports is helpful in reducing traffic, at least.
For example, SSH on port 22 gets lots of SYNs but moving it elsewhere,
and making 22 totally unresponsive discourages most such attempts. This
increases security slightly a priori, and may also improve security by
simplifying the firewall log(s).

When using OpenVPN over UDP, the standard port 1194 can be subject to
random and/or attack packets. These have to be processed and rejected
(since their HMACs etc. hopefully won't pass decryption). This won't
occur in TCP mode, of course, but UDP tends to be more efficient,
especially since TCP over TCP tends to clog up.

P.S. When you come right down to it, *all* computer (software) security
is "security by obscurity", whether the obscurity of passwords, private
keys, etc. For example, DES is no longer used because 56-bit keys are no
longer obscure enough to hide from modern computers.


On Wed, 24 Oct 2018 13:24:41 +0000
Timothy Metzinger <[hidden email]> wrote:

> There's no security in obscurity.  Automated port scanners will sweep
> your system in a couple of seconds.
>
> Tim Metzinger
>
> From: bind-users <[hidden email]> on behalf of G.W.
> Haywood via bind-users <[hidden email]> Sent: Wednesday,
> October 24, 2018 12:15:10 PM To: [hidden email]
> Subject: Re: Question about visibility
>
> Hi there,
>
> On Wed, 24 Oct 2018, Hardy, Andrew wrote:
>
> > Further to the original post, as well as not creating a DNS record
> > and "possibly" adding robot.txt with appropriate content, as
> > discussed, I presume that if I run the http server on a personally
> > selected unprivileged port then it is very "unlikely" the site pages
> > will be indexed/discovered/etc surely?
> >
> > Thoughts?
>
> A server on a non-standard port is often neglected.  Its security may
> be less well maintained than one that is intentionally public.
>
> That's just the sort of thing that criminals are looking for.  They'll
> probably find it, and then they'll attack it.
>
> --
>
> 73,
> Ged.
> _______________________________________________
> Please visit
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users&amp;data=02%7C01%7C%7C0b805cc1bd334bd7ea4808d639aa77ec%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636759801644561901&amp;sdata=CqjF4k0IMJVEbFnKVPzflLNxc8LyguCF7iSblAfVbLI%3D&amp;reserved=0<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users&data=02%7C01%7C%7C0b805cc1bd334bd7ea4808d639aa77ec%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636759801644561901&sdata=CqjF4k0IMJVEbFnKVPzflLNxc8LyguCF7iSblAfVbLI%3D&reserved=0>
> to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users&amp;data=02%7C01%7C%7C0b805cc1bd334bd7ea4808d639aa77ec%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636759801644561901&amp;sdata=CqjF4k0IMJVEbFnKVPzflLNxc8LyguCF7iSblAfVbLI%3D&amp;reserved=0<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users&data=02%7C01%7C%7C0b805cc1bd334bd7ea4808d639aa77ec%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636759801644561901&sdata=CqjF4k0IMJVEbFnKVPzflLNxc8LyguCF7iSblAfVbLI%3D&reserved=0>
>
> Tim Metzinger
> 703.963.3015
>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: Question about visibility

John W. Blue
I agree on using non-standard ports as well.

Moving SSH to a non-standard port is a perfect example of how to actually ID bad actors.  It follows that any host connecting to 22 is clearly traffic that needs to be dropped and blocked.  And if that host is blocked then any other connections it would attempt (eg port 80) are also blocked.  I am reluctant to say "one and done" but it is pretty close.

Alternatively, using PF on a BSD with this rule:

pass in on $ext_if proto tcp from any to $ext_if port ssh \
flags S/SA keep state \
(max-src-conn-rate 2/120, overload <ssh-bruteforce> flush global)

Will only allow 2 connections within two minutes before the host is blacklisted.

John

-----Original Message-----
From: bind-users [mailto:[hidden email]] On Behalf Of Paul Kosinski
Sent: Wednesday, October 24, 2018 11:24 AM
To: [hidden email]
Subject: Re: Question about visibility

Maybe port scanners will find open ports pretty quickly, but I've found that using non-standard ports is helpful in reducing traffic, at least.
For example, SSH on port 22 gets lots of SYNs but moving it elsewhere, and making 22 totally unresponsive discourages most such attempts. This increases security slightly a priori, and may also improve security by simplifying the firewall log(s).

When using OpenVPN over UDP, the standard port 1194 can be subject to random and/or attack packets. These have to be processed and rejected (since their HMACs etc. hopefully won't pass decryption). This won't occur in TCP mode, of course, but UDP tends to be more efficient, especially since TCP over TCP tends to clog up.

P.S. When you come right down to it, *all* computer (software) security is "security by obscurity", whether the obscurity of passwords, private keys, etc. For example, DES is no longer used because 56-bit keys are no longer obscure enough to hide from modern computers.


On Wed, 24 Oct 2018 13:24:41 +0000
Timothy Metzinger <[hidden email]> wrote:

> There's no security in obscurity.  Automated port scanners will sweep
> your system in a couple of seconds.
>
> Tim Metzinger
>
> From: bind-users <[hidden email]> on behalf of G.W.
> Haywood via bind-users <[hidden email]> Sent: Wednesday,
> October 24, 2018 12:15:10 PM To: [hidden email]
> Subject: Re: Question about visibility
>
> Hi there,
>
> On Wed, 24 Oct 2018, Hardy, Andrew wrote:
>
> > Further to the original post, as well as not creating a DNS record
> > and "possibly" adding robot.txt with appropriate content, as
> > discussed, I presume that if I run the http server on a personally
> > selected unprivileged port then it is very "unlikely" the site pages
> > will be indexed/discovered/etc surely?
> >
> > Thoughts?
>
> A server on a non-standard port is often neglected.  Its security may
> be less well maintained than one that is intentionally public.
>
> That's just the sort of thing that criminals are looking for.  They'll
> probably find it, and then they'll attack it.
>
> --
>
> 73,
> Ged.
> _______________________________________________
> Please visit
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
> s.isc.org%2Fmailman%2Flistinfo%2Fbind-users&amp;data=02%7C01%7C%7C0b80
> 5cc1bd334bd7ea4808d639aa77ec%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C
> 0%7C636759801644561901&amp;sdata=CqjF4k0IMJVEbFnKVPzflLNxc8LyguCF7iSbl
> AfVbLI%3D&amp;reserved=0<https://eur03.safelinks.protection.outlook.co
> m/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users&d
> ata=02%7C01%7C%7C0b805cc1bd334bd7ea4808d639aa77ec%7C84df9e7fe9f640afb4
> 35aaaaaaaaaaaa%7C1%7C0%7C636759801644561901&sdata=CqjF4k0IMJVEbFnKVPzf
> lLNxc8LyguCF7iSblAfVbLI%3D&reserved=0>
> to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
> s.isc.org%2Fmailman%2Flistinfo%2Fbind-users&amp;data=02%7C01%7C%7C0b80
> 5cc1bd334bd7ea4808d639aa77ec%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C
> 0%7C636759801644561901&amp;sdata=CqjF4k0IMJVEbFnKVPzflLNxc8LyguCF7iSbl
> AfVbLI%3D&amp;reserved=0<https://eur03.safelinks.protection.outlook.co
> m/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users&d
> ata=02%7C01%7C%7C0b805cc1bd334bd7ea4808d639aa77ec%7C84df9e7fe9f640afb4
> 35aaaaaaaaaaaa%7C1%7C0%7C636759801644561901&sdata=CqjF4k0IMJVEbFnKVPzf
> lLNxc8LyguCF7iSblAfVbLI%3D&reserved=0>
>
> Tim Metzinger
> 703.963.3015
>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Question about visibility

Bind-Users forum mailing list
In reply to this post by Bind-Users forum mailing list
On 10/24/2018 06:15 AM, G.W. Haywood via bind-users wrote:
> A server on a non-standard port is often neglected.  Its security may
> be less well maintained than one that is intentionally public.

Why and how do you make that correlation?

Are you implying that some people think that because they've taken one
step (moving the port) they may think that they don't need to take other
steps (updating)?

Do you have, or can you point to, data to substantiate this?

I've always found that moving the port is one of many steps done to
improve security.  The more important steps being stay up to date.



--
Grant. . . .
unix || die


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Question about visibility

Bind-Users forum mailing list
In reply to this post by Timothy Metzinger
On 10/24/2018 07:24 AM, Timothy Metzinger wrote:
> There's no security in obscurity.

Obscurity by itself is not security.

Obscurity can be one many layers of security.

> Automated port scanners will sweep your system in a couple of seconds.

Yes, automated scanners can scan all the ports on a system.  That also
functions as a great indicator that the connecting IPs are doing
something undesirable.

Moving the port is also a good way to avoid a lot of other scanners that
are simply looking for specific ports.

If nothing else, moving the port will likely reduce the number of
connections, which in itself likely reduces noise in logs, which helps
improve the signal to noise ratio of said logs.



--
Grant. . . .
unix || die


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Question about visibility

Dave Warren-2
In reply to this post by Timothy Metzinger
On 2018-10-24 07:24, Timothy Metzinger wrote:
> There's no security in obscurity.  Automated port scanners will sweep
> your system in a couple of seconds.

There is *limited* security in obscurity but it's a valid layer.
Obviously insufficient as an only layer...

As a trivial example, I get orders of magnitude more ESMTP
authentication attempts against well known/standardized ports 25 and 587
than non-standard ports that speak the exact same protocol. Last I
looked, 25 receives substantially more traffic than 587 despite 587
being the better choice to attack these days.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Question about visibility

Bind-Users forum mailing list
In reply to this post by Andrew Hardy
Hi there,

On Thu, 25 Oct 2018, Grant Taylor wrote:
> On 10/24/2018 06:15 AM, G.W. Haywood via bind-users wrote:
>
>> A server on a non-standard port is often neglected.? Its security may
>> be less well maintained than one that is intentionally public.
>
> Why and how do you make that correlation?

Years of customers (including a major motor vehicle manufacturer) who
said "The guy that set all this up has left." and "We don't know what
happened to the disc.", and "Oh, we'd forgotten about that one." and...

> Are you implying that some people think that because they've taken one
> step (moving the port) they may think that they don't need to take other
> steps (updating)? ...

No, that was not what I meant to imply at all.

> I've always found that moving the port is one of many steps done to
> improve security.

As was mentioned by other earlier in the thread.  No argument there, I
do that too - especially for ssh and VPN connections.  But you'd likely
have poor results with a nameserver. :)

> The more important steps being stay up to date.

That being the problem.  The |guy left|...|forgotten about it| means
that unless the updating is automatic (and still working - unlikely,
even if it was once) then you more or less have a ticking time-bomb.

Mostly off-topic for this list though.

--

73,
Ged.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users