From owner-freebsd-stable@FreeBSD.ORG  Mon Oct 12 13:42:19 2009
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@FreeBSD.ORG
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7A386106568D
	for <freebsd-stable@FreeBSD.ORG>; Mon, 12 Oct 2009 13:42:19 +0000 (UTC)
	(envelope-from olli@lurza.secnetix.de)
Received: from lurza.secnetix.de (lurza.secnetix.de [IPv6:2a01:170:102f::2])
	by mx1.freebsd.org (Postfix) with ESMTP id F288A8FC0A
	for <freebsd-stable@FreeBSD.ORG>; Mon, 12 Oct 2009 13:42:18 +0000 (UTC)
Received: from lurza.secnetix.de (localhost [127.0.0.1])
	by lurza.secnetix.de (8.14.3/8.14.3) with ESMTP id n9CDg1F4066567;
	Mon, 12 Oct 2009 15:42:16 +0200 (CEST)
	(envelope-from oliver.fromme@secnetix.de)
Received: (from olli@localhost)
	by lurza.secnetix.de (8.14.3/8.14.3/Submit) id n9CDg19g066566;
	Mon, 12 Oct 2009 15:42:01 +0200 (CEST) (envelope-from olli)
Date: Mon, 12 Oct 2009 15:42:01 +0200 (CEST)
Message-Id: <200910121342.n9CDg19g066566@lurza.secnetix.de>
From: Oliver Fromme <olli@lurza.secnetix.de>
To: freebsd-stable@FreeBSD.ORG
In-Reply-To: <20091012094519.GA29445@calvin.ustdmz.roe.ch>
X-Newsgroups: list.freebsd-stable
User-Agent: tin/1.8.3-20070201 ("Scotasay") (UNIX)
	(FreeBSD/6.4-PRERELEASE-20080904 (i386))
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2
	(lurza.secnetix.de [127.0.0.1]);
	Mon, 12 Oct 2009 15:42:16 +0200 (CEST)
Cc: 
Subject: Re: openssh concerns
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: freebsd-stable@FreeBSD.ORG
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Oct 2009 13:42:19 -0000

Daniel Roethlisberger <daniel@roe.ch> wrote:
 > If your situation allows running pf, then there's an alternative
 > method: bind sshd normally to port 22, but use pf to deny direct
 > connections to port 22, redirecting connections to some high port
 > X to port 22 using a `rdr pass' rule.  You can even make
 > exceptions for trusted IP address ranges which are then allowed
 > to SSH in directly on port 22.  That way, an unprivileged process
 > will gain nothing by listening on high port X; it won't get to
 > accept() any SSH connections.

Just for completeness sake, the same can be done easily
with IPFW and "fwd" rules, of course.

Best regards
   Oliver

-- 
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758,  Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd

"C++ is to C as Lung Cancer is to Lung."
        -- Thomas Funke