Date: Mon, 12 Oct 2009 15:42:01 +0200 (CEST) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-stable@FreeBSD.ORG Subject: Re: openssh concerns Message-ID: <200910121342.n9CDg19g066566@lurza.secnetix.de> In-Reply-To: <20091012094519.GA29445@calvin.ustdmz.roe.ch>
next in thread | previous in thread | raw e-mail | index | archive | help
Daniel Roethlisberger <daniel@roe.ch> wrote: > If your situation allows running pf, then there's an alternative > method: bind sshd normally to port 22, but use pf to deny direct > connections to port 22, redirecting connections to some high port > X to port 22 using a `rdr pass' rule. You can even make > exceptions for trusted IP address ranges which are then allowed > to SSH in directly on port 22. That way, an unprivileged process > will gain nothing by listening on high port X; it won't get to > accept() any SSH connections. Just for completeness sake, the same can be done easily with IPFW and "fwd" rules, of course. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "C++ is to C as Lung Cancer is to Lung." -- Thomas Funke
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200910121342.n9CDg19g066566>