From owner-freebsd-security@FreeBSD.ORG Sat Oct 3 12:18:40 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9D5811065670 for ; Sat, 3 Oct 2009 12:18:40 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id E47508FC15 for ; Sat, 3 Oct 2009 12:18:39 +0000 (UTC) Received: (qmail invoked by alias); 03 Oct 2009 12:18:37 -0000 Received: from u18-124.dsl.vianetworks.de (EHLO u18-124.dsl.vianetworks.de) [194.231.39.124] by mail.gmx.net (mp035) with SMTP; 03 Oct 2009 14:18:37 +0200 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX1/fbLxhYH3fJL58dr5QgOFELOu3QqUdJf5x84CJqo 1QRBL0a2CFRfd/ Received: by u18-124.dsl.vianetworks.de (Postfix, from userid 1100) id 9698026145; Sat, 3 Oct 2009 14:18:31 +0200 (CEST) Date: Sat, 3 Oct 2009 14:18:30 +0200 From: olli hauer To: des@des.no, smithi@nimnet.asn.au Message-ID: <20091003121830.GA15170@sorry.mine.nu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Errors-To: ohauer@gmx.de (olli hauer) X-Header0: **** ohauer at sorry **** X-Header1: ** sorry ** User-Agent: Mutt/1.5.18 (2008-05-17) X-Y-GMX-Trusted: 0 X-FuHaFi: 0.67 Cc: freebsd-security@freebsd.org Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: olli hauer List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Oct 2009 12:18:40 -0000 >> http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers >> provides a >> reasonably useful list of ports NOT to choose for an obscure ssh >> port. > > In practice, you have no choice but to use someting like 443 or 8080, > because corporate firewalls often block everything but a small number > of > ports (usually 20, 22, 80, 443, 8080, and odds are that 20, 80 and > 8080 > go through a transparent proxy) This may work if the firewall does only port and no additional protocol filtering. For many products used in corporate envirion it is even possible to filter ssh v1, skype, stunnel, openvpn with a verry high success rate within the first packet's on the wire. In case for the ssh server take a look into this parameters - LoginGraceTime - MaxAuthTries - MaxSessions - MaxStartups -- olli