From owner-freebsd-security@FreeBSD.ORG  Fri Oct  2 19:09:25 2009
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B1394106568D
	for <freebsd-security@freebsd.org>;
	Fri,  2 Oct 2009 19:09:25 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159])
	by mx1.freebsd.org (Postfix) with ESMTP id 32CDE8FC18
	for <freebsd-security@freebsd.org>;
	Fri,  2 Oct 2009 19:09:24 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id n92Ih82i003901;
	Sat, 3 Oct 2009 04:43:08 +1000 (EST)
	(envelope-from smithi@nimnet.asn.au)
Date: Sat, 3 Oct 2009 04:43:08 +1000 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: johnea <me@johnea.net>
In-Reply-To: <4AC61C0B.3050704@johnea.net>
Message-ID: <20091003042802.O10039@sola.nimnet.asn.au>
References: <4AC545C3.9020608@johnea.net>
	<19141.20047.694147.865710@hergotha.csail.mit.edu>
	<4AC61C0B.3050704@johnea.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: freebsd-security@freebsd.org
Subject: Re: openssh concerns
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Oct 2009 19:09:25 -0000

On Fri, 2 Oct 2009, johnea wrote:
 > Garrett Wollman wrote:
[..]
 > > > tcp4       0      0 atom.60448             host154.advance.com.ar.auth
 > > > TIME_WAIT
 > > 
 > > "auth" is the port number used by the IDENT protocol.
 > > 
 > > -GAWollman
 > 
 > Thank You to everyone who responded!
 > 
 > In fact I did discover these lines in hosts.allow:
 > 
 > 31-# Protect against simple DNS spoofing attacks by checking that the
 > 32-# forward and reverse records for the remote host match. If a mismatch
 > 33-# occurs, access is denied, and any positive ident response within
 > 34-# 20 seconds is logged. No protection is afforded against DNS poisoning,
 > 35-# IP spoofing or more complicated attacks. Hosts with no reverse DNS
 > 36-# pass this rule.
 > 37:ALL : PARANOID : RFC931 20 : deny
 > 
 > This is what was generating the auth protocol socket.
 > 
 > I've disabled it to prevent the establishment of the auth socket to hosts
 > who are attempting to breakin.
 > 
 > Per another suggestion I also intend to change the port for ssh to a
 > non-standard number (after synchronizing with the users of course 8-)

This will provide the greatest relief against drive-by ssh probes, which 
are pretty much background radiation these days.  Some may decry it as 
'security by obscurity', but who cares when it works so effectively :)

http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers provides a 
reasonably useful list of ports NOT to choose for an obscure ssh port.

cheers, Ian