Date: Fri, 02 Oct 2009 08:28:11 -0700 From: johnea <me@johnea.net> To: freebsd-security@freebsd.org Subject: Re: openssh concerns Message-ID: <4AC61C0B.3050704@johnea.net> In-Reply-To: <19141.20047.694147.865710@hergotha.csail.mit.edu> References: <4AC545C3.9020608@johnea.net> <19141.20047.694147.865710@hergotha.csail.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Garrett Wollman wrote: > <<On Thu, 01 Oct 2009 17:13:55 -0700, johnea <me@johnea.net> said: > >> The thing that concerned me is an entry I saw in netstat showing >> my system connecting back to a machine that was attempting to log >> in to ssh. > >> Does the ssh server establish a socket to a client attempting login? > > The SSH protocol does not, but you appear to be using "TCP wrappers" > (/etc/hosts.allow) configured in such a way that it make an IDENT > protocol request back to the originating server. This is rarely > likely to do anything useful and should probably be disabled. > >> tcp4 0 0 atom.60448 host154.advance.com.ar.auth TIME_WAIT > > "auth" is the port number used by the IDENT protocol. > > -GAWollman Thank You to everyone who responded! In fact I did discover these lines in hosts.allow: 31-# Protect against simple DNS spoofing attacks by checking that the 32-# forward and reverse records for the remote host match. If a mismatch 33-# occurs, access is denied, and any positive ident response within 34-# 20 seconds is logged. No protection is afforded against DNS poisoning, 35-# IP spoofing or more complicated attacks. Hosts with no reverse DNS 36-# pass this rule. 37:ALL : PARANOID : RFC931 20 : deny This is what was generating the auth protocol socket. I've disabled it to prevent the establishment of the auth socket to hosts who are attempting to breakin. Per another suggestion I also intend to change the port for ssh to a non-standard number (after synchronizing with the users of course 8-) Maybe I'm a little paranoid, but after watching the level of spam ever increasing over the last 5 years, and more and more people moving to big (monopolistic?) service providers like google and hotmail. I've wondered if these big corporate service providers don't tolerate the spam level in order to prevent anyone who doesn't have a building full of IT staff from running their own mail servers. Perhaps with the help of people like those on this list, the internet won't have to be abandoned by independents? Thanks again to everyone! johnea
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AC61C0B.3050704>