Date: Sat, 3 Oct 2009 04:43:08 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: johnea <me@johnea.net> Cc: freebsd-security@freebsd.org Subject: Re: openssh concerns Message-ID: <20091003042802.O10039@sola.nimnet.asn.au> In-Reply-To: <4AC61C0B.3050704@johnea.net> References: <4AC545C3.9020608@johnea.net> <19141.20047.694147.865710@hergotha.csail.mit.edu> <4AC61C0B.3050704@johnea.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 2 Oct 2009, johnea wrote: > Garrett Wollman wrote: [..] > > > tcp4 0 0 atom.60448 host154.advance.com.ar.auth > > > TIME_WAIT > > > > "auth" is the port number used by the IDENT protocol. > > > > -GAWollman > > Thank You to everyone who responded! > > In fact I did discover these lines in hosts.allow: > > 31-# Protect against simple DNS spoofing attacks by checking that the > 32-# forward and reverse records for the remote host match. If a mismatch > 33-# occurs, access is denied, and any positive ident response within > 34-# 20 seconds is logged. No protection is afforded against DNS poisoning, > 35-# IP spoofing or more complicated attacks. Hosts with no reverse DNS > 36-# pass this rule. > 37:ALL : PARANOID : RFC931 20 : deny > > This is what was generating the auth protocol socket. > > I've disabled it to prevent the establishment of the auth socket to hosts > who are attempting to breakin. > > Per another suggestion I also intend to change the port for ssh to a > non-standard number (after synchronizing with the users of course 8-) This will provide the greatest relief against drive-by ssh probes, which are pretty much background radiation these days. Some may decry it as 'security by obscurity', but who cares when it works so effectively :) http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers provides a reasonably useful list of ports NOT to choose for an obscure ssh port. cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091003042802.O10039>