Date: Mon, 3 Sep 2001 14:12:28 -0400 (EDT) From: Chris BeHanna <behanna@zbzoom.net> To: <security@freebsd.org> Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. Message-ID: <20010903140918.K10812-100000@topperwein.dyndns.org> In-Reply-To: <F199ECBlGkVf370Skbs00003266@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 3 Sep 2001, Not Going to Tell You wrote: > > I have 240 boxes running sshd and restricted to our IP address on the > Internet. We just want to hide the sshd port until we need it. Is this such > a hard concept to understand. So what if someone can sniff the key. It is ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > just an extra layer of security. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ These two sentences contradict each other. > Since we are also running sshd and IP > filters, this is not a false sense of security. If someone wants to sniff > out all 100 packets, spoof our IP address, and re-send the key..Good for > them, they still have to get past the sshd. But by hidding the sshd port, > maybe, just maybe, we can reduce the number of script kiddies from trying > sshd scripts. IMHO, you're better off with TCP Wrappers, unless you need to allow access to clients whose addresses are dynamically allocated. Even then, if you set up a VPN, you can control access by domain or by IP address: a VPN client gets an address from your local address pool. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010903140918.K10812-100000>