ietf-asrg
[Top] [All Lists]

Re: [Asrg] article: port 25 blocking

2005-04-15 18:33:04
On Thu, Apr 14, 2005 at 11:01:03PM -0500, mathew wrote
Larry Seltzer wrote:

Let's say I want to let my team of users access the mail server from
their ISP accounts. I set up SMTP on (pull number out of ass) TCP
48207. I have to set this up on all their clients (and open it up on
any firewalls between us, so for practical purposes it can't be too
many of them.



Let's start with why this proposal won't work.

Basically, it's security through obscurity. And in this case, the
obscurity will only last until the first port scan. There are only
65535 ports in total; there are plenty of tools out there which will
scan them all in a couple of minutes; adding code to go back to each
open port and check for an SMTP server is a trivial addition.

  Rather than accessing random open ports, the road warriors' machines
should be using ssh-tunneling or VPN or whatever.  I know from personal
experience that ssh-tunneling works over a NAT'ed connection, which can
break some VPNs.  Set up the sshd config to not accept passwords, i.e.
the client must use their key to authenticate.  Somebody with a traffic
sniffer sees encrypted traffic to port 22; like whoopee.

Like every cable modem user, I already get port scanned regularly by
malware. As soon as any significant number of SMTP servers start using
random unadvertised ports for unauthenticated SMTP, the port scanning
0wn3d machines already out there will find out what those ports
are. The spammers will simply add the port number to each address
on the lists of open relays they already exchange with each other.

  So the traffic-sniffer sees a bunch of encrypted traffic going to port
22 on the corporate server; again, like whoopee.

-- 
Walter Dnes <waltdnes(_at_)waltdnes(_dot_)org>
An infinite number of monkeys pounding away on keyboards will
eventually produce a report showing that Windows is more secure,
and has a lower TCO, than linux.

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg