Simple Security Tricks You Need to Know

Renaming admin accounts to something that’s not obvious, changing ports of well-known exploited programs such as RDP to higher-numbered ones, and setting up a honeypot are all well-known tricks in the security world, but it’s nice to see them all  in a comprehensive list created by security expert Roger Grimes.

While there isn’t anything really new in security, sometimes a refresher course on the basics can be helpful. If you haven’t thought about some of these ideas, it’s worth taking another look.

Related Links

No Responses to “Simple Security Tricks You Need to Know”

  1. Lee Crites

    I loved most of these suggestions, and have done them in the past. My version of the “honeypot” and the “nonstandard port” was that I had a dummy/test computer, fully configured and set up and running. The router sent the standard ports to it. I wrote a rather simple server process that would listen on the various ports (based on a config file), and respond “appropriately” (again, based on a config-based setup).

    So if you attempted to hack my web server on port 80, for instance, you got what appeared to be the default Apache installation web page. Ditto with telnet, ssh, ftp, etc, etc, etc. All ports were open and answering requests.

    The only thing the server did was answer the request, and log all of the information the sender process would give it for later analysis. That included all of the telnet and ssh requests, which simply returned a login error. It didn’t matter what login/password combination you tried — even if it was the “right” one. The only way to log in to that box was via the attached console. Period.

    My client/server applications used my own “standard port list,” and the router would pass them along to the correct system.

    One problem with the majority of the suggestions. In my bee-boping about the industry, I have noted that many of the more egregious breakins probably had inside help. So most of the “security by obscurity” options wouldn’t work. The “obscurity” part of that equation means that nobody on the “inside” tells folks on the “outside” that the names/ports/fqpn/etc were altered.

  2. Lee Crites

    One other “security by obscurity” thing we did was rename sudo. We then wrote a simple bash script that logged all sorts of interesting things ($*, who, who am i, pwd, ps, etc, etc) to a local log file we could monitor, and named it sudo. Now when a foreign process attempts to use sudo to do something, we know what it was and when it made the attempt.

    Setting LogStash or Nagios to trigger major-league warnings with this log file is changed can help you keep up with potential intrusions in real-time.

    I guess the script could be generalized so you could implement other “popular” commands with the hacker crowd, and then put it in your honeypot. But some of that is further than we went — although not much further than I might go in the near future.