Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 02 Oct 2009 08:28:11 -0700
From:      johnea <me@johnea.net>
To:        freebsd-security@freebsd.org
Subject:   Re: openssh concerns
Message-ID:  <4AC61C0B.3050704@johnea.net>
In-Reply-To: <19141.20047.694147.865710@hergotha.csail.mit.edu>
References:  <4AC545C3.9020608@johnea.net> <19141.20047.694147.865710@hergotha.csail.mit.edu>

next in thread | previous in thread | raw e-mail | index | archive | help
Garrett Wollman wrote:
> <<On Thu, 01 Oct 2009 17:13:55 -0700, johnea <me@johnea.net> said:
> 
>> The thing that concerned me is an entry I saw in netstat showing
>> my system connecting back to a machine that was attempting to log
>> in to ssh.
> 
>> Does the ssh server establish a socket to a client attempting login?
> 
> The SSH protocol does not, but you appear to be using "TCP wrappers"
> (/etc/hosts.allow) configured in such a way that it make an IDENT
> protocol request back to the originating server.  This is rarely
> likely to do anything useful and should probably be disabled.
> 
>> tcp4       0      0 atom.60448             host154.advance.com.ar.auth  TIME_WAIT
> 
> "auth" is the port number used by the IDENT protocol.
> 
> -GAWollman

Thank You to everyone who responded!

In fact I did discover these lines in hosts.allow:

31-# Protect against simple DNS spoofing attacks by checking that the
32-# forward and reverse records for the remote host match. If a mismatch
33-# occurs, access is denied, and any positive ident response within
34-# 20 seconds is logged. No protection is afforded against DNS poisoning,
35-# IP spoofing or more complicated attacks. Hosts with no reverse DNS
36-# pass this rule.
37:ALL : PARANOID : RFC931 20 : deny

This is what was generating the auth protocol socket.

I've disabled it to prevent the establishment of the auth socket to hosts
who are attempting to breakin.

Per another suggestion I also intend to change the port for ssh to a
non-standard number (after synchronizing with the users of course 8-)

Maybe I'm a little paranoid, but after watching the level of spam ever
increasing over the last 5 years, and more and more people moving to
big (monopolistic?) service providers like google and hotmail. I've
wondered if these big corporate service providers don't tolerate the
spam level in order to prevent anyone who doesn't have a building full
of IT staff from running their own mail servers.

Perhaps with the help of people like those on this list, the internet
won't have to be abandoned by independents?

Thanks again to everyone!

johnea



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AC61C0B.3050704>