Hello, On Thu, Jun 20, 2019 at 08:45:13PM +0100, Brian wrote: > At least 2000,000,0000 hosts on the internet. You reckon you will be in > the first tranche of targets?
I don't know about "amongst the first" but there are multiple services scanning every port of the entire IPv4 space now and selling access to the results, e.g. Shodan which has already been mentioned. So the idea that you don't need to think about hostile actors connecting to your service because you are 1 in 2bn or whatever, is no longer sound. For example, for over 10 years I have been putting ssh on a port other than 22 where I able to do so, just to cut down on noise in my logs since every hostile knew to check port 22. This year for the first time I am finding that mass scanners have found my alternate port and are now doing dictionary attacks against it. This is because the aforementioned scanning services have scanned every port of my hosts and are selling the information that my host has what looks like an sshd on so and so port. The operators of botnets are buying this information and setting their botnets to try SSH on those alternate ports too. So any new bad actor who wants to scan for this vulnerability is just going to buy access to a list of every host on the Internet that has an open port 25, maybe an open port 25 running the vulnerable versions of Exim if that is offered. That will be a very manageable list of IPs. They won't have to do the scanning themselves. This is only going to get worse. I don't think it's security through obscurity to try to hide yourself from the hostiles if you have already taken steps to protect yourself and it's just to reduce the amount of noise. I think it's only security through obscurity if you don't fix it, try to hide and would get exploited if you were found. Having said that, I am in full agreement that the correct thing to do if concerned about the SMTP banner is to change the SMTP banner, not change the version of the software. I might even go further and try to find a way to identify and log people trying this exploit, so that they can be dealt with the same way persistent SSH dictionary attackers are. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
