Date: Mon, 21 Nov 2005 14:14:04 +0100 From: Marian Hettwer <MH@kernel32.de> To: Jeremie Le Hen <jeremie@le-hen.org> Cc: Peter Jeremy <PeterJeremy@optushome.com.au>, ray@redshift.com, freebsd-security@freebsd.org Subject: Re: Need urgent help regarding security Message-ID: <4381C81C.4080907@kernel32.de> In-Reply-To: <20051121122621.GA5197@obiwan.tataz.chchile.org> References: <3.0.1.32.20051117232057.00a96750@pop.redshift.com> <43818643.5000206@kernel32.de> <20051121085221.GA4267@cirb503493.alcatel.com.au> <43819049.5090107@kernel32.de> <20051121122621.GA5197@obiwan.tataz.chchile.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Jeremie, Jeremie Le Hen wrote: > Hi, Marian, > > > > Security is not absolute, as you surely know considering the fact you > seem to be quite sensitive to it. I guess that most of running sshd(8) > are bound to port tcp/22. If a group of hackers find a hole in > OpenSSH's sshd(8) implementation in a very early stage of the > connection (IOW before authentication) but do not disclose it - and > only God knows how many undisclosed holes there are - then one can > figure they want to avail themselves of this hole by working in > collaboration with spammers or whatever. The best way they can work > for this purpose is creating a massive exploitation tool in order to > install as much spam agents as they can, before the hole is disclosed. > Not having your sshd(8) bound to port 22 would save you from being > exploited in this case. > you're right with that assumption. And yes, given the above scenario, letting the sshd run on a different port would help. However, your scenario counts to any daemon listening on any port. What would you like to do? Moving httpd, smtpd and whoever to another port? :) I'd rather say, use any tools available within FreeBSD to make your box as secure as you need it to be. I'm thinking of fine things like kern.securelevel for instance :) > Of course, if this particular group of hackers wants to defeat _your_ > network, this measure won't prevent them from exploiting your sshd(8). > right. > There is no need to involve kiddies, given that the tools they are > using would surely appear far after the correction of the hole in the > next OpenSSH release and all serious network administrators would have > upgraded their boxes. > Being confident that the OpenSSH guys are good developers too, I'm not that much afraid of the hackers you mentioned above (and of course no script-kiddies either) :-) > Please, don't turn this thread into a troll. > It's definetly not my intenion to troll. If somebody thinks that I do, I'm sorry in advance. I just have the strong feeling that moving a daemon to another port (where it doesn't belong) won't gain any security. best regards, Marian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4381C81C.4080907>