From owner-freebsd-security@FreeBSD.ORG  Mon Nov 21 08:33:15 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E7A7816A41F
	for <freebsd-security@freebsd.org>;
	Mon, 21 Nov 2005 08:33:15 +0000 (GMT) (envelope-from MH@kernel32.de)
Received: from crivens.unixoid.de (crivens.unixoid.de [81.169.171.191])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6D1D643D45
	for <freebsd-security@freebsd.org>;
	Mon, 21 Nov 2005 08:33:15 +0000 (GMT) (envelope-from MH@kernel32.de)
Received: from localhost (localhost [127.0.0.1])
	by crivens.unixoid.de (Postfix) with ESMTP id 777E23F04;
	Mon, 21 Nov 2005 09:33:13 +0100 (CET)
Received: from crivens.unixoid.de ([127.0.0.1])
	by localhost (crivens.unixoid.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 14171-10; Mon, 21 Nov 2005 09:33:09 +0100 (CET)
Received: from [10.38.0.120] (unknown [212.12.51.89])
	by crivens.unixoid.de (Postfix) with ESMTP id 174DD3EF9;
	Mon, 21 Nov 2005 09:33:09 +0100 (CET)
Message-ID: <43818643.5000206@kernel32.de>
Date: Mon, 21 Nov 2005 09:33:07 +0100
From: Marian Hettwer <MH@kernel32.de>
User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: ray@redshift.com
References: <3.0.1.32.20051117232057.00a96750@pop.redshift.com>
In-Reply-To: <3.0.1.32.20051117232057.00a96750@pop.redshift.com>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: amavisd-new at unixoid.de
Cc: Timothy Smith <timothy@open-networks.net>, freebsd-security@freebsd.org
Subject: Re: Need urgent help regarding security
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Nov 2005 08:33:16 -0000

Hi there,

ray@redshift.com wrote:
> 
> Also, if you have access to the router, it's handy to re-write traffic from a
> higher public port down to port 22 on the server, since that will trip up anyone
> doing scans looking for a connect on port 22 across a large number of IP's.
>
No. That's security by obscurity and doesn't make your system even a wee 
bit more secure.
Disable root login via ssh (like already mentioned), enforce public-key 
authentication and maybe even go with OPIE.

> Anyway, just a couple of ideas I thought might be helpful while on the subject
> of SSH hardening :-)
>
all of them were about hardening, except the security by obscurity 
"put-the-sshd-on-another-port" advice ;)
don't do that.

Regards,
Marian