From owner-freebsd-security@FreeBSD.ORG Mon Nov 21 13:14:14 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B226816A41F for ; Mon, 21 Nov 2005 13:14:14 +0000 (GMT) (envelope-from MH@kernel32.de) Received: from crivens.unixoid.de (crivens.unixoid.de [81.169.171.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3EEFB43D45 for ; Mon, 21 Nov 2005 13:14:14 +0000 (GMT) (envelope-from MH@kernel32.de) Received: from localhost (localhost [127.0.0.1]) by crivens.unixoid.de (Postfix) with ESMTP id 90A603EFF; Mon, 21 Nov 2005 14:14:12 +0100 (CET) Received: from crivens.unixoid.de ([127.0.0.1]) by localhost (crivens.unixoid.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 31359-16; Mon, 21 Nov 2005 14:14:07 +0100 (CET) Received: from [10.38.0.120] (unknown [212.12.51.89]) by crivens.unixoid.de (Postfix) with ESMTP id 6A3353EE1; Mon, 21 Nov 2005 14:14:07 +0100 (CET) Message-ID: <4381C81C.4080907@kernel32.de> Date: Mon, 21 Nov 2005 14:14:04 +0100 From: Marian Hettwer User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jeremie Le Hen References: <3.0.1.32.20051117232057.00a96750@pop.redshift.com> <43818643.5000206@kernel32.de> <20051121085221.GA4267@cirb503493.alcatel.com.au> <43819049.5090107@kernel32.de> <20051121122621.GA5197@obiwan.tataz.chchile.org> In-Reply-To: <20051121122621.GA5197@obiwan.tataz.chchile.org> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at unixoid.de Cc: Peter Jeremy , ray@redshift.com, freebsd-security@freebsd.org Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 13:14:14 -0000 Hi Jeremie, Jeremie Le Hen wrote: > Hi, Marian, > > > > Security is not absolute, as you surely know considering the fact you > seem to be quite sensitive to it. I guess that most of running sshd(8) > are bound to port tcp/22. If a group of hackers find a hole in > OpenSSH's sshd(8) implementation in a very early stage of the > connection (IOW before authentication) but do not disclose it - and > only God knows how many undisclosed holes there are - then one can > figure they want to avail themselves of this hole by working in > collaboration with spammers or whatever. The best way they can work > for this purpose is creating a massive exploitation tool in order to > install as much spam agents as they can, before the hole is disclosed. > Not having your sshd(8) bound to port 22 would save you from being > exploited in this case. > you're right with that assumption. And yes, given the above scenario, letting the sshd run on a different port would help. However, your scenario counts to any daemon listening on any port. What would you like to do? Moving httpd, smtpd and whoever to another port? :) I'd rather say, use any tools available within FreeBSD to make your box as secure as you need it to be. I'm thinking of fine things like kern.securelevel for instance :) > Of course, if this particular group of hackers wants to defeat _your_ > network, this measure won't prevent them from exploiting your sshd(8). > right. > There is no need to involve kiddies, given that the tools they are > using would surely appear far after the correction of the hole in the > next OpenSSH release and all serious network administrators would have > upgraded their boxes. > Being confident that the OpenSSH guys are good developers too, I'm not that much afraid of the hackers you mentioned above (and of course no script-kiddies either) :-) > Please, don't turn this thread into a troll. > It's definetly not my intenion to troll. If somebody thinks that I do, I'm sorry in advance. I just have the strong feeling that moving a daemon to another port (where it doesn't belong) won't gain any security. best regards, Marian