From owner-freebsd-stable@FreeBSD.ORG Tue Dec 29 19:57:35 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3E1F1106566B for ; Tue, 29 Dec 2009 19:57:35 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA03.westchester.pa.mail.comcast.net (qmta03.westchester.pa.mail.comcast.net [76.96.62.32]) by mx1.freebsd.org (Postfix) with ESMTP id D7CCB8FC1D for ; Tue, 29 Dec 2009 19:57:34 +0000 (UTC) Received: from OMTA06.westchester.pa.mail.comcast.net ([76.96.62.51]) by QMTA03.westchester.pa.mail.comcast.net with comcast id P7ul1d00616LCl0537xaJV; Tue, 29 Dec 2009 19:57:34 +0000 Received: from koitsu.dyndns.org ([98.248.46.159]) by OMTA06.westchester.pa.mail.comcast.net with comcast id P7xa1d0013S48mS3S7xaru; Tue, 29 Dec 2009 19:57:34 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id 88D351E3035; Tue, 29 Dec 2009 11:57:32 -0800 (PST) Date: Tue, 29 Dec 2009 11:57:32 -0800 From: Jeremy Chadwick To: freebsd-stable@freebsd.org Message-ID: <20091229195732.GA45636@icarus.home.lan> References: <4B20B509.4050501@yahoo.it> <600C0C33850FFE49B76BDD81AED4D25801371D8056@IMCMBX3.MITRE.ORG> <600C0C33850FFE49B76BDD81AED4D25801371D8737@IMCMBX3.MITRE.ORG> <20091229114536.GA2409@mavetju.org> <44y6klefy4.fsf@be-well.ilk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44y6klefy4.fsf@be-well.ilk.org> User-Agent: Mutt/1.5.20 (2009-06-14) Subject: Re: Hacked - FreeBSD 7.1-Release X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Dec 2009 19:57:35 -0000 On Tue, Dec 29, 2009 at 02:30:11PM -0500, Lowell Gilbert wrote: > > On Mon, Dec 28, 2009 at 10:44:41AM -0500, Andresen, Jason R. wrote: > >> The point is, if your machine is on the internet, then bots are > >> going to try password attacks on any open port they can find. It's > >> just the sad fact of life on the current internet. Unfortunately, > >> this activity will also make it much more difficult to determine > >> when you are under attack from an actual person, which was my point > >> earlier. It's one that is not going to be easy to solve either, > >> unless you're willing to rewrite SSH to require every connection > >> attempt to pass a Turing test or something. > > > > On all systems which need to be accessible from the public Internet: > > Run sshd on port 22 and port 8022. Block incoming traffic on port > > 22 on your firewall. > > > > Everybody coming from the outside world needs to know it is running > > on port 8022. Everybody coming from the inside world has access as > > normal. > > This assumes that everybody coming in from the outside is doing so from > a location that can reach port 8022 on your network. Restrictive > corporate, campus, and hotspot firewalls will often break this > assumption. If your network is personal, and you know the other ends > of the connections won't be so draconian, this isn't a problem. And let's not forget the fact that the people doing the brute-force attacks already have access to multiple compromised machines (sometimes in the tens or hundreds of thousands), which means they'll eventually change their methods to include portscanning of the remote system rather than just blindly assuming TCP port 22. When you have access to so many systems, completing a full scan (65535 ports) would take a lot less time than, say, if run from a single system. Given that OpenSSH happily spits back an identity string -- including version -- to anyone who establishes a TCP connection to it, detecting if SSH is associated with said port isn't that hard. I don't know if this method is officially part of the SSH protocol or not (I'm not familiar with the protocol). Example FreeBSD box: Connected to localhost. Escape character is '^]'. SSH-2.0-OpenSSH_5.2p1 FreeBSD-20090522 The "FreeBSD-XXXXXXXX" string is supposed to come from VersionAddendum in /etc/ssh/sshd_config, except it appears the base system's OpenSSH defines this as the VersionAddendum default. The rest of the string, AFAIK, isn't modifiable outside of editing the source. The justification for the FreeBSD-XXXXXXXX hard-coded default is in src/crypto/openssh/FREEBSD-upgrade. I don't agree with the logic (basic security starts with "give the remote attacker *as little* information about your system as possible"), but I'm not going to argue: 0) VersionAddendum The SSH protocol allows for a human-readable version string of up to 40 characters to be appended to the protocol version string. FreeBSD takes advantage of this to include a date indicating the "patch level", so people can easily determine whether their system is vulnerable when an OpenSSH advisory goes out. Some people, however, dislike advertising their patch level in the protocol handshake, so we've added a VersionAddendum configuration variable to allow them to change or disable it. So ultimately changing the port number from 22 to something else is just a temporary measure that does little other than annoy legitimate people connecting to your system. Don't have anyone else connecting to it? Then why not just use port 22 and deny 0.0.0.0/0 + allow netblocks you come in from? I guess some people travel a lot and use a multitude of ISPs, but surely it wouldn't take that long to build an appropriate allow/permit list. Ah well. Each to his/her own when it comes to solving this problem. Everyone likes something different/has a different method/etc. based on their needs/styles. :-) -- | Jeremy Chadwick jdc@parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |