From owner-freebsd-security@FreeBSD.ORG Fri Oct 2 15:28:00 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9A220106566B for ; Fri, 2 Oct 2009 15:28:00 +0000 (UTC) (envelope-from me@johnea.net) Received: from mail.johnea.net (johnea.net [70.167.123.7]) by mx1.freebsd.org (Postfix) with ESMTP id 7F0D98FC12 for ; Fri, 2 Oct 2009 15:28:00 +0000 (UTC) Received: from [192.168.100.239] (vhost.johnea.net [192.168.100.239]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.johnea.net (Postfix) with ESMTPSA id 104C673F1844; Fri, 2 Oct 2009 08:19:52 -0700 (PDT) Message-ID: <4AC61C0B.3050704@johnea.net> Date: Fri, 02 Oct 2009 08:28:11 -0700 From: johnea User-Agent: Thunderbird 2.0.0.22 (X11/20090719) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <4AC545C3.9020608@johnea.net> <19141.20047.694147.865710@hergotha.csail.mit.edu> In-Reply-To: <19141.20047.694147.865710@hergotha.csail.mit.edu> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 15:28:00 -0000 Garrett Wollman wrote: > < said: > >> The thing that concerned me is an entry I saw in netstat showing >> my system connecting back to a machine that was attempting to log >> in to ssh. > >> Does the ssh server establish a socket to a client attempting login? > > The SSH protocol does not, but you appear to be using "TCP wrappers" > (/etc/hosts.allow) configured in such a way that it make an IDENT > protocol request back to the originating server. This is rarely > likely to do anything useful and should probably be disabled. > >> tcp4 0 0 atom.60448 host154.advance.com.ar.auth TIME_WAIT > > "auth" is the port number used by the IDENT protocol. > > -GAWollman Thank You to everyone who responded! In fact I did discover these lines in hosts.allow: 31-# Protect against simple DNS spoofing attacks by checking that the 32-# forward and reverse records for the remote host match. If a mismatch 33-# occurs, access is denied, and any positive ident response within 34-# 20 seconds is logged. No protection is afforded against DNS poisoning, 35-# IP spoofing or more complicated attacks. Hosts with no reverse DNS 36-# pass this rule. 37:ALL : PARANOID : RFC931 20 : deny This is what was generating the auth protocol socket. I've disabled it to prevent the establishment of the auth socket to hosts who are attempting to breakin. Per another suggestion I also intend to change the port for ssh to a non-standard number (after synchronizing with the users of course 8-) Maybe I'm a little paranoid, but after watching the level of spam ever increasing over the last 5 years, and more and more people moving to big (monopolistic?) service providers like google and hotmail. I've wondered if these big corporate service providers don't tolerate the spam level in order to prevent anyone who doesn't have a building full of IT staff from running their own mail servers. Perhaps with the help of people like those on this list, the internet won't have to be abandoned by independents? Thanks again to everyone! johnea