From owner-freebsd-security@FreeBSD.ORG Tue Oct 6 20:18:26 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 65ED61065672 for ; Tue, 6 Oct 2009 20:18:26 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.157]) by mx1.freebsd.org (Postfix) with ESMTP id E17CA8FC16 for ; Tue, 6 Oct 2009 20:18:25 +0000 (UTC) Received: by fg-out-1718.google.com with SMTP id 16so1615317fgg.13 for ; Tue, 06 Oct 2009 13:18:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:date:from:to:cc :subject:in-reply-to:message-id:references:user-agent :x-openpgp-key-id:x-openpgp-key-fingerprint:mime-version :content-type; bh=5gXXDnAOIhJ4lig0J1oDAHydccU9d8NRdWodY3VKwpw=; b=lxcG9NNMWQRFvjjz9SO7GS3As81t5VeMFpzxd7w/T9ant/zC1xErKMF58Jz7KjuHJU All6l3oFDo9/QOBM9AcUOC0kM/5Na6Kdj8dGJBk31oLJfIN6AoYdDqvFwhRA49+5mOSV K/yrx5kZXisspYaIkZr+BrpliOo50cuh8XgIE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:in-reply-to:message-id:references :user-agent:x-openpgp-key-id:x-openpgp-key-fingerprint:mime-version :content-type; b=AMXIOJlckRBdB1Xm42Klqbw6d1eFOiUX327dvFV5Pla7MB2XA6k34nDJow0iZDJ9wx JJigr04Ms2qv2kVPBZULMs8zSjC/I/BN5ZujUc1/r2VMdhSHYdKVYAc8DNpbHGsVMTza rI2GbDQj8uHROgmwhy0Qxj3NoLsyx756VXDD0= Received: by 10.86.184.35 with SMTP id h35mr925205fgf.18.1254858565384; Tue, 06 Oct 2009 12:49:25 -0700 (PDT) Received: from dimension.5p.local (adsl-99-35-15-84.dsl.klmzmi.sbcglobal.net [99.35.15.84]) by mx.google.com with ESMTPS id l19sm1370511fgb.7.2009.10.06.12.49.23 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 06 Oct 2009 12:49:24 -0700 (PDT) Sender: "J. Hellenthal" Date: Tue, 6 Oct 2009 15:49:16 -0400 From: jhell To: =?ISO-8859-15?Q?Dag-Erling_Sm=F8rgrav?= In-Reply-To: <86vdis99ie.fsf@ds4.des.no> Message-ID: References: <20091003121830.GA15170@sorry.mine.nu> <4AC9F9C1.9030702@kernel32.de> <86vdis99ie.fsf@ds4.des.no> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII Cc: olli hauer , FreeBSD Security , Peter , smithi@nimnet.asn.au, Marian Hettwer Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Oct 2009 20:18:26 -0000 On Tue, 6 Oct 2009 11:06 +0200, des@ wrote: > "Peter" writes: >> Or combine that with portknocking - Only open port 22 after X number of >> attempts to connect on port 1234: > > As has already been explained, that's no good if you need to ssh in from > behind a corporate firewall that blocks everything except 20, 22, 80 and > 443. > > DES > Don't forget about making good use of the following configuration turntables. You can enforce a default policy of deny by just saying that a user must be in the group of AllowGroups. This does enforce a little bit more of a administrative overhead but that's for your staff and policy to decide. AllowGroups AllowUsers DenyGroups DenyUsers Collect tried user names and don't allow those to be added to your system as legitimate users is another approach. Configuring pw(8) and adduser(8) for this will be a good exercise. -- %{----------------------------------------------------+ | dataix.net!jhell 2048R/89D8547E 2009-09-30 | | BSD since FreeBSD 4.2 Linux since Slackware 2.1 | | 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E | +----------------------------------------------------%}