From owner-freebsd-security@FreeBSD.ORG Mon Oct 5 09:57:36 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B1E9C1065676 for ; Mon, 5 Oct 2009 09:57:36 +0000 (UTC) (envelope-from db@danielbond.org) Received: from mail.nsn.no (mailtwo.nsn.no [62.89.38.161]) by mx1.freebsd.org (Postfix) with SMTP id 0EC688FC14 for ; Mon, 5 Oct 2009 09:57:35 +0000 (UTC) Received: (qmail 49950 invoked by uid 0); 5 Oct 2009 09:30:54 -0000 Received: from unknown (HELO ?172.16.3.90?) (85.95.44.187) by mail.nsn.no with SMTP; 5 Oct 2009 09:30:54 -0000 Message-Id: From: Daniel Bond To: Eric Williams In-Reply-To: <4AC7B690.1060607@gmail.com> Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Apple-Mail-1--597563465" Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v936) Date: Mon, 5 Oct 2009 11:30:26 +0200 References: <20091003121830.GA15170@sorry.mine.nu> <4AC7B690.1060607@gmail.com> X-Pgp-Agent: GPGMail 1.2.0 (v56) X-Mailer: Apple Mail (2.936) Cc: freebsd-security@freebsd.org Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Oct 2009 09:57:36 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --Apple-Mail-1--597563465 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Hi, as long as one uses good passwords, or disable authentication with passwords and only authorize using SSH-keys, you should be fine, if you can survive a little spam in your system logs. Personally I tend to either firewall the OpenSSH daemon, or leave it wide open. I don't really see the point in changing ports, as long as they are still publicly available. However, I'm concerned about the suggestion of using an unprivileged port (I see port 8080 suggested in earlier mails). If you really do need to use a unprivileged port, one solution could be rewrite the port-number with a NAT redirect, so NAT forwards to a privileged port. The reason for this, is that any local user is capable of binding to unprivileged ports. If for some reason, a local user/attacker is able to crash the OpenSSH daemon process, or bind to the socket before the sshd(8) does, the attacker can install an "evil sshd", to capture information about keys and passwords. Not all users care about host-key warnings. One workaround may be to create a special rule for sshd, with mac_portacl(4), so only sshd can bind to port 8080, or whatever. ( http://www.freebsd.org/doc/en/books/handbook/mac-portacl.html ). Best regards, Daniel Bond. On Oct 3, 2009, at 10:39 PM, Eric Williams wrote: > On 10/3/2009 7:18 AM, olli hauer wrote: >>>> http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers >>>> provides a >>>> reasonably useful list of ports NOT to choose for an obscure ssh >>>> port. >>> >>> In practice, you have no choice but to use someting like 443 or >>> 8080, >>> because corporate firewalls often block everything but a small >>> number >>> of >>> ports (usually 20, 22, 80, 443, 8080, and odds are that 20, 80 and >>> 8080 >>> go through a transparent proxy) >> >> This may work if the firewall does only port and no additional >> protocol >> filtering. For many products used in corporate envirion it is even >> possible to filter ssh v1, skype, stunnel, openvpn with a verry high >> success rate within the first packet's on the wire. >> >> In case for the ssh server take a look into this parameters >> - LoginGraceTime >> - MaxAuthTries >> - MaxSessions >> - MaxStartups > > The absolute best way to filter out the attacks is to disable > authentication methods other than public keys. Obviously this isn't > possible in all situations, but it's very effective. Most attack bots > will just disconnect when they attempt login, and it's almost > impossible > to crack a key and gain access. > --Apple-Mail-1--597563465 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-description: This is a digitally signed message part content-disposition: inline; filename=PGP.sig content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.11 (Darwin) iEYEARECAAYFAkrJvM4ACgkQF4Ca8+3pySXOrACg3apmwq0s7SGa4Sp5nGC3AkOf QzkAn39BLrkhsQuHV7NDLG9roxOheicW =3PPK -----END PGP SIGNATURE----- --Apple-Mail-1--597563465--