Date: Sun, 11 Oct 2009 15:52:38 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: freebsd-stable@FreeBSD.ORG, dougb@FreeBSD.ORG Subject: Re: openssh concerns Message-ID: <alpine.BSF.2.00.0910111552060.48605@fledge.watson.org> In-Reply-To: <200910081823.n98INRVZ082461@lurza.secnetix.de> References: <200910081823.n98INRVZ082461@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 8 Oct 2009, Oliver Fromme wrote: > Are you sure? The majority of BSD machines in my vicinity have multiple > accounts. > > And even if there's only one account, there is no reason to be careless with > potential port-takeover risks. > > Therefore I advise against running critical daemons on unprivileged ports, > especially on machines with shell accounts. And if you need to bind to a > port >= 1024, use mac_portacl(4) to protect it. It's easy to use. > Alternatively you can increase the value of the sysctl > net.inet.ip.portrange.reservedhigh, but this is less flexible and might have > unwanted side effects. And, for those that haven't already noticed, "options MAC" is compiled into GENERIC on 8.0, so working with MAC policies no longer requires a recompile (or in many cases, even a reboot). Robert N M Watson Computer Laboratory University of Cambridge
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.0910111552060.48605>