Date: Mon, 5 Oct 2009 15:57:36 -0700 From: Chris Palmer <chris@noncombatant.org> To: freebsd-security@freebsd.org Subject: Re: openssh concerns Message-ID: <20091005225736.GA28186@noncombatant.org> In-Reply-To: <4ACA6BE8.3000402@FreeBSD.org> References: <20091003121830.GA15170@sorry.mine.nu> <4AC7B690.1060607@gmail.com> <C71A2370-DF5D-4C73-9321-7AA95B4844D5@danielbond.org> <4ACA6BE8.3000402@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Doug Barton writes: > > However, I'm concerned about the suggestion of using an unprivileged > > port > > Please explain your reasoning, and how it's relevant in a world where the > vast majority of Internet users have complete administrative control over > the systems they use. Shared shell servers do still exist, and on such systems, it would be unwise to allow low-privilege users to be able to listen on what the other users think the "official" SSH port is. The port ACL idea, and the port != 22 && port < 1024 idea, therefore still make sense. Of course, can we really trust that local low-privilege users can't escalate to root? Sob. As for the log spam issue, the problem is more general than just SSH -- do you have your web server listen on port 81, too? ;) There's tons of spam in there, and there's tons of real stuff in there. Web apps are real apps... what are people doing with them? The general solution is something like Marcus Ranum's "artificial ignorance". Whether it is a cheap-ass Python script like mine or a real grown-up log management system like Splunk, you want something that lets you easily see the real stuff and ignore the spam for ALL your apps, not just SSH. It doesn't take much effort to generate the cheap-ass solution (ping me privately if you want my trivial code), but the pay-off is huge. Imagine relevant cron emails! The dream is alive... -- http://www.noncombatant.org/ http://hemiolesque.blogspot.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091005225736.GA28186>