From owner-freebsd-security@FreeBSD.ORG  Mon Nov 21 12:30:08 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 291D716A41F
	for <freebsd-security@freebsd.org>;
	Mon, 21 Nov 2005 12:30:08 +0000 (GMT)
	(envelope-from ray@redshift.com)
Received: from outgoing.redshift.com (outgoing.redshift.com [207.177.231.8])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E377D43D4C
	for <freebsd-security@freebsd.org>;
	Mon, 21 Nov 2005 12:30:07 +0000 (GMT)
	(envelope-from ray@redshift.com)
Received: from workstation (216-228-19-21.dsl.redshift.com [216.228.19.21])
	by outgoing.redshift.com (Postfix) with SMTP id 2FDD297DDE;
	Mon, 21 Nov 2005 04:30:07 -0800 (PST)
Message-Id: <3.0.1.32.20051121043004.00aa1490@pop.redshift.com>
X-Mailer: na
X-Sender: redshift.com
Date: Mon, 21 Nov 2005 04:30:04 -0800
To: Marian Hettwer <MH@kernel32.de>
From: ray@redshift.com
In-Reply-To: <43818643.5000206@kernel32.de>
References: <3.0.1.32.20051117232057.00a96750@pop.redshift.com>
	<3.0.1.32.20051117232057.00a96750@pop.redshift.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: Timothy Smith <timothy@open-networks.net>, freebsd-security@freebsd.org
Subject: Re: Need urgent help regarding security
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Nov 2005 12:30:08 -0000

At 09:33 AM 11/21/2005 +0100, Marian Hettwer wrote:
| Hi there,
| 
| ray@redshift.com wrote:
| > 
| > Also, if you have access to the router, it's handy to re-write traffic from a
| > higher public port down to port 22 on the server, since that will trip up
anyone
| > doing scans looking for a connect on port 22 across a large number of IP's.
| >
| No. That's security by obscurity and doesn't make your system even a wee 
| bit more secure.
| Disable root login via ssh (like already mentioned), enforce public-key 
| authentication and maybe even go with OPIE.
| 
| > Anyway, just a couple of ideas I thought might be helpful while on the subject
| > of SSH hardening :-)
| >
| all of them were about hardening, except the security by obscurity 
| "put-the-sshd-on-another-port" advice ;)
| don't do that.
| 
| Regards,
| Marian

Okay, I'll give you that.  However, if someone was only scanning port 22, then
it would help keep you out of the scan :)

Ray