From owner-freebsd-stable@FreeBSD.ORG Tue Dec 29 19:30:13 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6227810656C6 for ; Tue, 29 Dec 2009 19:30:13 +0000 (UTC) (envelope-from freebsd-stable-local@be-well.ilk.org) Received: from mail6.sea5.speakeasy.net (mail6.sea5.speakeasy.net [69.17.117.8]) by mx1.freebsd.org (Postfix) with ESMTP id 390CF8FC14 for ; Tue, 29 Dec 2009 19:30:13 +0000 (UTC) Received: (qmail 22391 invoked from network); 29 Dec 2009 19:30:12 -0000 Received: from dsl092-078-145.bos1.dsl.speakeasy.net (HELO be-well.ilk.org) ([66.92.78.145]) (envelope-sender ) by mail6.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 29 Dec 2009 19:30:12 -0000 Received: by be-well.ilk.org (Postfix, from userid 1147) id 947735086C; Tue, 29 Dec 2009 14:30:11 -0500 (EST) From: Lowell Gilbert To: "freebsd-stable\@freebsd.org" References: <4B20B509.4050501@yahoo.it> <600C0C33850FFE49B76BDD81AED4D25801371D8056@IMCMBX3.MITRE.ORG> <600C0C33850FFE49B76BDD81AED4D25801371D8737@IMCMBX3.MITRE.ORG> <20091229114536.GA2409@mavetju.org> Date: Tue, 29 Dec 2009 14:30:11 -0500 In-Reply-To: <20091229114536.GA2409@mavetju.org> (Edwin Groothuis's message of "Tue, 29 Dec 2009 22:45:36 +1100") Message-ID: <44y6klefy4.fsf@be-well.ilk.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: Hacked - FreeBSD 7.1-Release X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Dec 2009 19:30:13 -0000 Edwin Groothuis writes: > On Mon, Dec 28, 2009 at 10:44:41AM -0500, Andresen, Jason R. wrote: >> The point is, if your machine is on the internet, then bots are >> going to try password attacks on any open port they can find. It's >> just the sad fact of life on the current internet. Unfortunately, >> this activity will also make it much more difficult to determine >> when you are under attack from an actual person, which was my point >> earlier. It's one that is not going to be easy to solve either, >> unless you're willing to rewrite SSH to require every connection >> attempt to pass a Turing test or something. > > On all systems which need to be accessible from the public Internet: > Run sshd on port 22 and port 8022. Block incoming traffic on port > 22 on your firewall. > > Everybody coming from the outside world needs to know it is running > on port 8022. Everybody coming from the inside world has access as > normal. This assumes that everybody coming in from the outside is doing so from a location that can reach port 8022 on your network. Restrictive corporate, campus, and hotspot firewalls will often break this assumption. If your network is personal, and you know the other ends of the connections won't be so draconian, this isn't a problem.