Date: Mon, 3 Sep 2001 14:12:28 -0400 (EDT) From: Chris BeHanna <behanna@zbzoom.net> To: <security@freebsd.org> Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. Message-ID: <20010903140918.K10812-100000@topperwein.dyndns.org> In-Reply-To: <F199ECBlGkVf370Skbs00003266@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 3 Sep 2001, Not Going to Tell You wrote:
>
> I have 240 boxes running sshd and restricted to our IP address on the
> Internet. We just want to hide the sshd port until we need it. Is this such
> a hard concept to understand. So what if someone can sniff the key. It is
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> just an extra layer of security.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
These two sentences contradict each other.
> Since we are also running sshd and IP
> filters, this is not a false sense of security. If someone wants to sniff
> out all 100 packets, spoof our IP address, and re-send the key..Good for
> them, they still have to get past the sshd. But by hidding the sshd port,
> maybe, just maybe, we can reduce the number of script kiddies from trying
> sshd scripts.
IMHO, you're better off with TCP Wrappers, unless you need to
allow access to clients whose addresses are dynamically allocated.
Even then, if you set up a VPN, you can control access by domain or by
IP address: a VPN client gets an address from your local address pool.
--
Chris BeHanna
Software Engineer (Remove "bogus" before responding.)
behanna@bogus.zbzoom.net
I was raised by a pack of wild corn dogs.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010903140918.K10812-100000>