From owner-freebsd-questions@FreeBSD.ORG Tue Feb 13 06:06:04 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 06BA216A401 for ; Tue, 13 Feb 2007 06:06:04 +0000 (UTC) (envelope-from tedm@toybox.placo.com) Received: from mail.freebsd-corp-net-guide.com (mail.web-strider.com [65.75.192.90]) by mx1.freebsd.org (Postfix) with ESMTP id 9D6D513C494 for ; Tue, 13 Feb 2007 06:06:03 +0000 (UTC) (envelope-from tedm@toybox.placo.com) Received: from coolf89ea26645 (nat-rtr.freebsd-corp-net-guide.com [65.75.197.130]) by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id l1D65xx50117; Mon, 12 Feb 2007 22:05:59 -0800 (PST) (envelope-from tedm@toybox.placo.com) Message-ID: <000401c74f34$dbbd52e0$3c01a8c0@coolf89ea26645> From: "Ted Mittelstaedt" To: "Robert C Wittig" , References: <45CEC7A4.7030802@ephgroup.com> <45D0E1E9.1090301@sbcglobal.net> Date: Mon, 12 Feb 2007 22:04:43 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1807 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1807 Cc: Subject: Re: Onpening and Closing ports X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Feb 2007 06:06:04 -0000 ----- Original Message ----- From: "Robert C Wittig" To: Sent: Monday, February 12, 2007 1:53 PM Subject: Re: Onpening and Closing ports > Dave Carrera wrote: > > Hi All, > > > > Had a little nasty person trying to break my sshd on port 22. > > > > I need to change and open a new port for sshd but i do not know how. > > > > Can one of you kind people help me with this please > > > > Many kind regards > > > > Instead of changing the sshd port, I set a PF rule that only permits > port 22 logins from a specific list of IP addresses, where I expect ssh > logins from. > > This would definitely not work on a production machine, with a lot of > people logging in from random IP's, Au-contraire! We are finding with production systems that the cracking attacks are getting so bad that we are starting to recommend to corporate customers that they do exactly that! These days when we setup a new corporate network there's only ONE port on the firewall that is open to the outside - the VPN port, whatever that may be. (usually IPSec vpns but MS PPTP is also still quite popular) Everything else is restricted to specificed source IP number. Any road warriors out there either have to VPN in then go to where they want, or they have to be coming from a static IP number. Their websites are never hosted on inside servers. Either they are hosted at our NOC or they are on a DMZ network that is outside their LAN, and the website carries nothing of value on it - because the expectation is that ultimately it will be broken into and destroyed by a cracker. Ted