From owner-freebsd-security@FreeBSD.ORG Mon Nov 21 14:01:48 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 117A016A41F for ; Mon, 21 Nov 2005 14:01:48 +0000 (GMT) (envelope-from danny@dannysplace.net) Received: from mailrelay01.solcon.nl (maillb.solcon.nl [212.45.32.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 75C4F43D53 for ; Mon, 21 Nov 2005 14:01:46 +0000 (GMT) (envelope-from danny@dannysplace.net) Received: from llama (dsl-213-233-246-022.solcon.nl [213.233.246.22]) by mailrelay01.solcon.nl (8.12.11/SQL-8.12.11-5/8.12.11) with SMTP id jALE1gI2032373; Mon, 21 Nov 2005 15:01:42 +0100 Message-ID: <00dd01c5eea4$1bb178b0$6501a8c0@llama> From: "Danny Carroll" To: "Marian Hettwer" , "Jeremie Le Hen" References: <3.0.1.32.20051117232057.00a96750@pop.redshift.com><43818643.5000206@kernel32.de><20051121085221.GA4267@cirb503493.alcatel.com.au><43819049.5090107@kernel32.de><20051121122621.GA5197@obiwan.tataz.chchile.org> <4381C81C.4080907@kernel32.de> Date: Mon, 21 Nov 2005 15:01:45 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-15" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Virus-Scanned: ClamAV version 0.87.1, clamav-milter version 0.87 on mailrelay01 X-Virus-Status: Clean X-Mailman-Approved-At: Mon, 21 Nov 2005 14:02:16 +0000 Cc: Peter Jeremy , ray@redshift.com, freebsd-security@freebsd.org Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 14:01:48 -0000 > you're right with that assumption. And yes, given the above scenario, > letting the sshd run on a different port would help. However, your > scenario counts to any daemon listening on any port. What would you like > to do? Moving httpd, smtpd and whoever to another port? :) > I'd rather say, use any tools available within FreeBSD to make your box > as secure as you need it to be. I'm thinking of fine things like > kern.securelevel for instance :) But sshd can be moved without problem. Moving httpd or worse, sendmail would break things. Also, I dont think anyone here would suggest that this is a replacement of other good security practices, such as those you mention, only something to add to if you wish. > Being confident that the OpenSSH guys are good developers too, I'm not > that much afraid of the hackers you mentioned above (and of course no > script-kiddies either) :-) Just because they are good, does not mean they dont make mistakes. > It's definetly not my intenion to troll. If somebody thinks that I do, > I'm sorry in advance. I just have the strong feeling that moving a > daemon to another port (where it doesn't belong) won't gain any security. The point here is, there are not ill effects from moving it, and possibly, in some cases actually prevent a break in. It might not be necessary for 99.99% of the time but if it saves you once, then its paid for itself. -D