From owner-freebsd-security@FreeBSD.ORG Mon Oct 5 22:57:43 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 806CB106568B for ; Mon, 5 Oct 2009 22:57:43 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: from strawberry.noncombatant.org (strawberry.noncombatant.org [64.142.6.126]) by mx1.freebsd.org (Postfix) with ESMTP id 620438FC1D for ; Mon, 5 Oct 2009 22:57:43 +0000 (UTC) Received: by strawberry.noncombatant.org (Postfix, from userid 1001) id 22B74775033; Mon, 5 Oct 2009 15:57:37 -0700 (PDT) Date: Mon, 5 Oct 2009 15:57:36 -0700 From: Chris Palmer To: freebsd-security@freebsd.org Message-ID: <20091005225736.GA28186@noncombatant.org> References: <20091003121830.GA15170@sorry.mine.nu> <4AC7B690.1060607@gmail.com> <4ACA6BE8.3000402@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4ACA6BE8.3000402@FreeBSD.org> User-Agent: Mutt/1.4.2.3i Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Oct 2009 22:57:43 -0000 Doug Barton writes: > > However, I'm concerned about the suggestion of using an unprivileged > > port > > Please explain your reasoning, and how it's relevant in a world where the > vast majority of Internet users have complete administrative control over > the systems they use. Shared shell servers do still exist, and on such systems, it would be unwise to allow low-privilege users to be able to listen on what the other users think the "official" SSH port is. The port ACL idea, and the port != 22 && port < 1024 idea, therefore still make sense. Of course, can we really trust that local low-privilege users can't escalate to root? Sob. As for the log spam issue, the problem is more general than just SSH -- do you have your web server listen on port 81, too? ;) There's tons of spam in there, and there's tons of real stuff in there. Web apps are real apps... what are people doing with them? The general solution is something like Marcus Ranum's "artificial ignorance". Whether it is a cheap-ass Python script like mine or a real grown-up log management system like Splunk, you want something that lets you easily see the real stuff and ignore the spam for ALL your apps, not just SSH. It doesn't take much effort to generate the cheap-ass solution (ping me privately if you want my trivial code), but the pay-off is huge. Imagine relevant cron emails! The dream is alive... -- http://www.noncombatant.org/ http://hemiolesque.blogspot.com/