Date: Mon, 5 Oct 2009 11:30:26 +0200 From: Daniel Bond <db@danielbond.org> To: Eric Williams <purpleshadow100@gmail.com> Cc: freebsd-security@freebsd.org Subject: Re: openssh concerns Message-ID: <C71A2370-DF5D-4C73-9321-7AA95B4844D5@danielbond.org> In-Reply-To: <4AC7B690.1060607@gmail.com> References: <20091003121830.GA15170@sorry.mine.nu> <4AC7B690.1060607@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --Apple-Mail-1--597563465 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Hi, as long as one uses good passwords, or disable authentication with passwords and only authorize using SSH-keys, you should be fine, if you can survive a little spam in your system logs. Personally I tend to either firewall the OpenSSH daemon, or leave it wide open. I don't really see the point in changing ports, as long as they are still publicly available. However, I'm concerned about the suggestion of using an unprivileged port (I see port 8080 suggested in earlier mails). If you really do need to use a unprivileged port, one solution could be rewrite the port-number with a NAT redirect, so NAT forwards to a privileged port. The reason for this, is that any local user is capable of binding to unprivileged ports. If for some reason, a local user/attacker is able to crash the OpenSSH daemon process, or bind to the socket before the sshd(8) does, the attacker can install an "evil sshd", to capture information about keys and passwords. Not all users care about host-key warnings. One workaround may be to create a special rule for sshd, with mac_portacl(4), so only sshd can bind to port 8080, or whatever. ( http://www.freebsd.org/doc/en/books/handbook/mac-portacl.html ). Best regards, Daniel Bond. On Oct 3, 2009, at 10:39 PM, Eric Williams wrote: > On 10/3/2009 7:18 AM, olli hauer wrote: >>>> http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers >>>> provides a >>>> reasonably useful list of ports NOT to choose for an obscure ssh >>>> port. >>> >>> In practice, you have no choice but to use someting like 443 or >>> 8080, >>> because corporate firewalls often block everything but a small >>> number >>> of >>> ports (usually 20, 22, 80, 443, 8080, and odds are that 20, 80 and >>> 8080 >>> go through a transparent proxy) >> >> This may work if the firewall does only port and no additional >> protocol >> filtering. For many products used in corporate envirion it is even >> possible to filter ssh v1, skype, stunnel, openvpn with a verry high >> success rate within the first packet's on the wire. >> >> In case for the ssh server take a look into this parameters >> - LoginGraceTime >> - MaxAuthTries >> - MaxSessions >> - MaxStartups > > The absolute best way to filter out the attacks is to disable > authentication methods other than public keys. Obviously this isn't > possible in all situations, but it's very effective. Most attack bots > will just disconnect when they attempt login, and it's almost > impossible > to crack a key and gain access. > --Apple-Mail-1--597563465 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-description: This is a digitally signed message part content-disposition: inline; filename=PGP.sig content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.11 (Darwin) iEYEARECAAYFAkrJvM4ACgkQF4Ca8+3pySXOrACg3apmwq0s7SGa4Sp5nGC3AkOf QzkAn39BLrkhsQuHV7NDLG9roxOheicW =3PPK -----END PGP SIGNATURE----- --Apple-Mail-1--597563465--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C71A2370-DF5D-4C73-9321-7AA95B4844D5>