Date: Sat, 03 Oct 2009 15:39:44 -0500 From: Eric Williams <purpleshadow100@gmail.com> To: freebsd-security@freebsd.org Subject: Re: openssh concerns Message-ID: <4AC7B690.1060607@gmail.com> In-Reply-To: <20091003121830.GA15170@sorry.mine.nu> References: <20091003121830.GA15170@sorry.mine.nu>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigE634CD63AC237B25440518CC Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 10/3/2009 7:18 AM, olli hauer wrote: >>> http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers >>> provides a=20 >>> reasonably useful list of ports NOT to choose for an obscure ssh >>> port. >> >> In practice, you have no choice but to use someting like 443 or 8080, >> because corporate firewalls often block everything but a small number >> of >> ports (usually 20, 22, 80, 443, 8080, and odds are that 20, 80 and >> 8080 >> go through a transparent proxy) >=20 > This may work if the firewall does only port and no additional protocol= > filtering. For many products used in corporate envirion it is even > possible to filter ssh v1, skype, stunnel, openvpn with a verry high > success rate within the first packet's on the wire. >=20 > In case for the ssh server take a look into this parameters > - LoginGraceTime > - MaxAuthTries > - MaxSessions > - MaxStartups The absolute best way to filter out the attacks is to disable authentication methods other than public keys. Obviously this isn't possible in all situations, but it's very effective. Most attack bots will just disconnect when they attempt login, and it's almost impossible to crack a key and gain access. --------------enigE634CD63AC237B25440518CC Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAkrHtpQACgkQnmzOjyfdA0H8AgCdEXZH/FFDgKScVIvmRbPf0EcH LJIAn1tSnlZSoYmcYK4tQ6ZVgNT9sWSq =isV6 -----END PGP SIGNATURE----- --------------enigE634CD63AC237B25440518CC--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AC7B690.1060607>