From owner-freebsd-security@FreeBSD.ORG Fri Oct 2 15:32:27 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6CF21106568D for ; Fri, 2 Oct 2009 15:32:27 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from mail-bw0-f227.google.com (mail-bw0-f227.google.com [209.85.218.227]) by mx1.freebsd.org (Postfix) with ESMTP id DAA1C8FC16 for ; Fri, 2 Oct 2009 15:32:26 +0000 (UTC) Received: by bwz27 with SMTP id 27so1045423bwz.43 for ; Fri, 02 Oct 2009 08:32:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=F1I8E6JKTKJCTDUqqS6UpRCfacFp+gtCERqo6oL1TrU=; b=u61aIuQWQOyD/El/y8aUZvlCcuPnkod2cMoJplt4O3DpVTPQtvhs85fUWdq6ePYGTB 4ZzuXFUmI7ckATDVwU5FeLqNM2D6hWoWfBa4LrD7NX/mqv0LgbikzQEXDVwpmbB/Qpvi bEs2VeqvkcJjSVemKwIy5POc6To3eKrMTwOxg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=e8qSzRrQ2GAgfggCGALRIUaM04hMo2RfgXLmUmAaxpk+WEzd8jVDlfxV9V1jnTCm7V eDLBCMq3OpgBvUUD/MG7rqFVQKCuRC2rX40SOBrTPUNARnIK4n+i1TEhUotqIrU20OqH FM7QJsjIMBKQ2DsKGy5xA8aDUbejPzH03mWpY= MIME-Version: 1.0 Received: by 10.204.34.199 with SMTP id m7mr1306638bkd.48.1254497545264; Fri, 02 Oct 2009 08:32:25 -0700 (PDT) In-Reply-To: <4AC61C0B.3050704@johnea.net> References: <4AC545C3.9020608@johnea.net> <19141.20047.694147.865710@hergotha.csail.mit.edu> <4AC61C0B.3050704@johnea.net> Date: Fri, 2 Oct 2009 16:32:24 +0100 Message-ID: From: =?ISO-8859-1?B?SXN0duFu?= To: johnea Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 15:32:27 -0000 Protect against simple DNS spoofing attacks by checking that the... So if the ssh bruteforce is coming from a properly setup DNS host it is ok :)))) On Fri, Oct 2, 2009 at 4:28 PM, johnea wrote: > Garrett Wollman wrote: > >> < said: >> >> The thing that concerned me is an entry I saw in netstat showing >>> my system connecting back to a machine that was attempting to log >>> in to ssh. >>> >> >> Does the ssh server establish a socket to a client attempting login? >>> >> >> The SSH protocol does not, but you appear to be using "TCP wrappers" >> (/etc/hosts.allow) configured in such a way that it make an IDENT >> protocol request back to the originating server. This is rarely >> likely to do anything useful and should probably be disabled. >> >> tcp4 0 0 atom.60448 host154.advance.com.ar.auth >>> TIME_WAIT >>> >> >> "auth" is the port number used by the IDENT protocol. >> >> -GAWollman >> > > Thank You to everyone who responded! > > In fact I did discover these lines in hosts.allow: > > 31-# Protect against simple DNS spoofing attacks by checking that the > 32-# forward and reverse records for the remote host match. If a mismatch > 33-# occurs, access is denied, and any positive ident response within > 34-# 20 seconds is logged. No protection is afforded against DNS poisoning, > 35-# IP spoofing or more complicated attacks. Hosts with no reverse DNS > 36-# pass this rule. > 37:ALL : PARANOID : RFC931 20 : deny > > This is what was generating the auth protocol socket. > > I've disabled it to prevent the establishment of the auth socket to hosts > who are attempting to breakin. > > Per another suggestion I also intend to change the port for ssh to a > non-standard number (after synchronizing with the users of course 8-) > > Maybe I'm a little paranoid, but after watching the level of spam ever > increasing over the last 5 years, and more and more people moving to > big (monopolistic?) service providers like google and hotmail. I've > wondered if these big corporate service providers don't tolerate the > spam level in order to prevent anyone who doesn't have a building full > of IT staff from running their own mail servers. > > Perhaps with the help of people like those on this list, the internet > won't have to be abandoned by independents? > > Thanks again to everyone! > > johnea > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > -- the sun shines for all