From owner-freebsd-security@FreeBSD.ORG Mon Nov 21 12:26:55 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6AF2416A41F for ; Mon, 21 Nov 2005 12:26:55 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from smtp2-g19.free.fr (smtp2-g19.free.fr [212.27.42.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id D7FED43D46 for ; Mon, 21 Nov 2005 12:26:54 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by smtp2-g19.free.fr (Postfix) with ESMTP id 6F9BF52362; Mon, 21 Nov 2005 13:26:53 +0100 (CET) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 6E08F405A; Mon, 21 Nov 2005 13:26:21 +0100 (CET) Date: Mon, 21 Nov 2005 13:26:21 +0100 From: Jeremie Le Hen To: Marian Hettwer Message-ID: <20051121122621.GA5197@obiwan.tataz.chchile.org> References: <3.0.1.32.20051117232057.00a96750@pop.redshift.com> <43818643.5000206@kernel32.de> <20051121085221.GA4267@cirb503493.alcatel.com.au> <43819049.5090107@kernel32.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <43819049.5090107@kernel32.de> User-Agent: Mutt/1.5.11 Cc: Peter Jeremy , ray@redshift.com, freebsd-security@freebsd.org Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 12:26:55 -0000 Hi, Marian, > Where is the protection, or rather the danger in being "visible" to > script kiddis? There's no security issue valid for script kiddis which > wouldn't be valid for any other attacker too. > The main question is: Where is the danger in script kiddies with their > brute force attacks? > I guess it's mainly the annoying fact that your logfile get's > unreadable. If that's the problem: use logsurfer or something similar to > analyze the logfile. > You just don't get more secure by moving the sshd to a different port > than port 22. Security is not absolute, as you surely know considering the fact you seem to be quite sensitive to it. I guess that most of running sshd(8) are bound to port tcp/22. If a group of hackers find a hole in OpenSSH's sshd(8) implementation in a very early stage of the connection (IOW before authentication) but do not disclose it - and only God knows how many undisclosed holes there are - then one can figure they want to avail themselves of this hole by working in collaboration with spammers or whatever. The best way they can work for this purpose is creating a massive exploitation tool in order to install as much spam agents as they can, before the hole is disclosed. Not having your sshd(8) bound to port 22 would save you from being exploited in this case. Of course, if this particular group of hackers wants to defeat _your_ network, this measure won't prevent them from exploiting your sshd(8). There is no need to involve kiddies, given that the tools they are using would surely appear far after the correction of the hole in the next OpenSSH release and all serious network administrators would have upgraded their boxes. Please, don't turn this thread into a troll. Best regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >