From owner-freebsd-security@FreeBSD.ORG Sat Oct 3 21:50:11 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 52506106568D for ; Sat, 3 Oct 2009 21:50:11 +0000 (UTC) (envelope-from purpleshadow100@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.24]) by mx1.freebsd.org (Postfix) with ESMTP id 01BAD8FC15 for ; Sat, 3 Oct 2009 21:50:10 +0000 (UTC) Received: by qw-out-2122.google.com with SMTP id 5so677162qwi.7 for ; Sat, 03 Oct 2009 14:50:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type; bh=gsEB+b7SuR94aTKKiF1bmiwWQ911+avuAgVNIsdMrAk=; b=ZIeFwUTFynip6qVl8y9OlS0fFE2wO6dwhSvnu6HN30I3kF39rumvaEosnAONUsAyVz OwhPyNyZ56qKb7/moYxfrdYQtzICq2I2Dk3mJHFBNh3cLWwKzv0oOARopS2dPhXhUFtR TxCFbQb4H9R04muMplLssrvA+cdjLJa8dn/zg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:x-enigmail-version:content-type; b=ZPp5rpKbelImv58qz0eXgkQ1jaRRUOzDe1PoTs7BHgwKtd96Cp1dTOfzFheZZ7qElV /TJWxTcMWVIkEtxCRE0qcGqi9dDywoZFlg0T4rWZbUZWFraF7dXm2IAJh3AoUGzqL0No pPWlXdFgfmrXzemHPXM0IoR1Tu7kO3msAoY0c= Received: by 10.224.86.227 with SMTP id t35mr2153286qal.121.1254602390710; Sat, 03 Oct 2009 13:39:50 -0700 (PDT) Received: from ?10.10.10.87? (cpe-70-112-151-108.austin.res.rr.com [70.112.151.108]) by mx.google.com with ESMTPS id 6sm507043qwd.37.2009.10.03.13.39.48 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sat, 03 Oct 2009 13:39:49 -0700 (PDT) Message-ID: <4AC7B690.1060607@gmail.com> Date: Sat, 03 Oct 2009 15:39:44 -0500 From: Eric Williams User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.4pre) Gecko/20090915 Lightning/1.0pre Thunderbird/3.0b4 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20091003121830.GA15170@sorry.mine.nu> In-Reply-To: <20091003121830.GA15170@sorry.mine.nu> X-Enigmail-Version: 0.96a Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigE634CD63AC237B25440518CC" Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Oct 2009 21:50:11 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigE634CD63AC237B25440518CC Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 10/3/2009 7:18 AM, olli hauer wrote: >>> http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers >>> provides a=20 >>> reasonably useful list of ports NOT to choose for an obscure ssh >>> port. >> >> In practice, you have no choice but to use someting like 443 or 8080, >> because corporate firewalls often block everything but a small number >> of >> ports (usually 20, 22, 80, 443, 8080, and odds are that 20, 80 and >> 8080 >> go through a transparent proxy) >=20 > This may work if the firewall does only port and no additional protocol= > filtering. For many products used in corporate envirion it is even > possible to filter ssh v1, skype, stunnel, openvpn with a verry high > success rate within the first packet's on the wire. >=20 > In case for the ssh server take a look into this parameters > - LoginGraceTime > - MaxAuthTries > - MaxSessions > - MaxStartups The absolute best way to filter out the attacks is to disable authentication methods other than public keys. Obviously this isn't possible in all situations, but it's very effective. Most attack bots will just disconnect when they attempt login, and it's almost impossible to crack a key and gain access. --------------enigE634CD63AC237B25440518CC Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAkrHtpQACgkQnmzOjyfdA0H8AgCdEXZH/FFDgKScVIvmRbPf0EcH LJIAn1tSnlZSoYmcYK4tQ6ZVgNT9sWSq =isV6 -----END PGP SIGNATURE----- --------------enigE634CD63AC237B25440518CC--