From owner-freebsd-stable@FreeBSD.ORG Tue Dec 29 16:46:03 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 72E94106566C for ; Tue, 29 Dec 2009 16:46:03 +0000 (UTC) (envelope-from chris@behanna.org) Received: from smtp103.sbc.mail.mud.yahoo.com (smtp103.sbc.mail.mud.yahoo.com [68.142.198.202]) by mx1.freebsd.org (Postfix) with SMTP id 346318FC13 for ; Tue, 29 Dec 2009 16:46:02 +0000 (UTC) Received: (qmail 99757 invoked from network); 29 Dec 2009 16:19:20 -0000 Received: from (chris@64.132.190.26 with plain) by smtp103.sbc.mail.mud.yahoo.com with SMTP; 29 Dec 2009 08:19:20 -0800 PST X-Yahoo-SMTP: IImPLAuswBCrx2RdXZGWc4UZbB59Q8rbW69ykY5boJ7l_g-- X-YMail-OSG: emZqBSMVM1lsrDouRfl0x9CnoNdNSYzuilJM_A3N1EKwZ9tv2koPqkQ7Um.N0Uuc8ZqBjDS5reXYrnhtqLog0hL5uUFdtkve1bI0QIzstlAL9p3bcQILpiTTivxp.QAGhP92EH6XYfFntUVlEanw0LysxuUiBN2RBuCMYHkRbocmPX0.N6q.JNiMB0t3BccGiqdR_hkEvExwVgqDBGIrWzONHqJe1Q8F55XTo3v0bctx8nbNJcZPSOZ.oFwRSC55Ewg7.cTe5Nw0TE1XHlODhTkKYQMFxH62k6cIIBJyKVt0XgCGPvtiQQ-- X-Yahoo-Newman-Property: ymail-3 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Apple Message framework v1077) From: Chris BeHanna In-Reply-To: <4B3A2A02.1090509@brianwhalen.net> Date: Tue, 29 Dec 2009 10:19:20 -0600 Content-Transfer-Encoding: quoted-printable Message-Id: <1790A4AA-9EB4-47DF-ADC9-7DA90AD2654F@behanna.org> References: <4B20B509.4050501@yahoo.it> <600C0C33850FFE49B76BDD81AED4D25801371D8056@IMCMBX3.MITRE.ORG> <600C0C33850FFE49B76BDD81AED4D25801371D8737@IMCMBX3.MITRE.ORG> <20091229114536.GA2409@mavetju.org> <4B3A2A02.1090509@brianwhalen.net> To: freebsd-stable@freebsd.org X-Mailer: Apple Mail (2.1077) Subject: Re: Hacked - FreeBSD 7.1-Release X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Dec 2009 16:46:03 -0000 On Dec 29, 2009, at 10:10 , Brian W. wrote: > On 12/29/2009 3:45 AM, Edwin Groothuis wrote: >> mpt to pass a Turing test or something. >> On all systems which need to be accessible from the public = Internet: >> Run sshd on port 22 and port 8022. Block incoming traffic on port >> 22 on your firewall. >>=20 >> Everybody coming from the outside world needs to know it is running >> on port 8022. Everybody coming from the inside world has access as >> normal. >>=20 >> Edwin >> =20 > I seem to recall on one of the openbsd lists someone speaking of risks = of running sshd or other services on high numbered ports, presumably = because a non root user cannot bind ports up to 1024. On a multi-user machine, where you want to keep students or = others from spoofing on machines on which they have logins but which you = manage (i.e., they don't have root or sudo), this makes sense--ON THE = SERVER SIDE. The connecting client's port is going to be above 1024 = anyway, and the client doesn't really care on which port the server is = running. In this day and age, when anyone, black hat or white, can stand = up their own *ix box and run whatever they want on whatever port, the = notion of only connecting to "privileged ports" as a way of protecting = yourself (e.g., from password sniffing or whatever) is rather quaint and = ineffective. --=20 Chris BeHanna chris@behanna.org=