From owner-freebsd-security  Mon Sep  3 11:12:37 2001
Delivered-To: freebsd-security@freebsd.org
Received: from topperwein.dyndns.org (acs-24-154-28-172.zoominternet.net [24.154.28.172])
	by hub.freebsd.org (Postfix) with ESMTP id 1D5C637B407
	for <security@freebsd.org>; Mon,  3 Sep 2001 11:12:32 -0700 (PDT)
Received: from topperwein.dyndns.org (topperwein.dyndns.org [192.168.168.10])
	by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id f83ICX910930
	for <security@freebsd.org>; Mon, 3 Sep 2001 14:12:33 -0400 (EDT)
	(envelope-from behanna@zbzoom.net)
Date: Mon, 3 Sep 2001 14:12:28 -0400 (EDT)
From: Chris BeHanna <behanna@zbzoom.net>
Reply-To: Chris BeHanna <behanna@zbzoom.net>
To: <security@freebsd.org>
Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help.
In-Reply-To: <F199ECBlGkVf370Skbs00003266@hotmail.com>
Message-ID: <20010903140918.K10812-100000@topperwein.dyndns.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Mon, 3 Sep 2001, Not Going to Tell You wrote:

>
> I have 240 boxes running sshd and restricted to our IP address on the
> Internet. We just want to hide the sshd port until we need it. Is this such
> a hard concept to understand. So what if someone can sniff the key. It is
                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> just an extra layer of security.
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

    These two sentences contradict each other.

> Since we are also running sshd and IP
> filters, this is not a false sense of security. If someone wants to sniff
> out all 100 packets, spoof our IP address, and re-send the key..Good for
> them, they still have to get past the sshd. But by hidding the sshd port,
> maybe, just maybe, we can reduce the number of script kiddies from trying
> sshd scripts.

    IMHO, you're better off with TCP Wrappers, unless you need to
allow access to clients whose addresses are dynamically allocated.
Even then, if you set up a VPN, you can control access by domain or by
IP address: a VPN client gets an address from your local address pool.

-- 
Chris BeHanna
Software Engineer                   (Remove "bogus" before responding.)
behanna@bogus.zbzoom.net
I was raised by a pack of wild corn dogs.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message