Re: Possible New Security Tool For FreeBSD, Need Your Help.

From: Chris BeHanna (behanna@zbzoom.net)
Date: 09/03/01

• Next message: Chris BeHanna: "RE: Possible New Security Tool For FreeBSD, Need Your Help."
• Previous message: Ruslan Ermilov: "dropping ``setgid tty'' in dump(8)"
• In reply to: Not Going to Tell You: "Re: Possible New Security Tool For FreeBSD, Need Your Help."
• Next in thread: Kevin Way: "Re: Possible New Security Tool For FreeBSD, Need Your Help."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 3 Sep 2001 14:12:28 -0400 (EDT)
From: Chris BeHanna <behanna@zbzoom.net>
To: <security@freebsd.org>

On Mon, 3 Sep 2001, Not Going to Tell You wrote:

>
> I have 240 boxes running sshd and restricted to our IP address on the
> Internet. We just want to hide the sshd port until we need it. Is this such
> a hard concept to understand. So what if someone can sniff the key. It is
                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> just an extra layer of security.
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

    These two sentences contradict each other.

> Since we are also running sshd and IP
> filters, this is not a false sense of security. If someone wants to sniff
> out all 100 packets, spoof our IP address, and re-send the key..Good for
> them, they still have to get past the sshd. But by hidding the sshd port,
> maybe, just maybe, we can reduce the number of script kiddies from trying
> sshd scripts.

    IMHO, you're better off with TCP Wrappers, unless you need to
allow access to clients whose addresses are dynamically allocated.
Even then, if you set up a VPN, you can control access by domain or by
IP address: a VPN client gets an address from your local address pool.

-- 
Chris BeHanna
Software Engineer                   (Remove "bogus" before responding.)
behanna@bogus.zbzoom.net
I was raised by a pack of wild corn dogs.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Next message: Chris BeHanna: "RE: Possible New Security Tool For FreeBSD, Need Your Help."
• Previous message: Ruslan Ermilov: "dropping ``setgid tty'' in dump(8)"
• In reply to: Not Going to Tell You: "Re: Possible New Security Tool For FreeBSD, Need Your Help."
• Next in thread: Kevin Way: "Re: Possible New Security Tool For FreeBSD, Need Your Help."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: starting ssh from inetd ... which tends to enhance security. ... >security hole in a particular implementation of inetd, ... Are you saying sshd is insecure when running stand alone and that it ... running sshd through inetd does not simplify the programming ... (comp.security.ssh) Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh ... > 99% of even the most heavily loaded servers have more than enough ... similar to sysutils/comconsole which reconfigures the shipping sshd to ... run under inetd so that others can benefit from your approach. ... Not to dismiss the idea of running sshd from inetd out of hand, ... (FreeBSD-Security) Re: inetd[860]: ssh/tcp: bind: Address already in use ... Running sshd out of inetd is weird and unnatural, ... just comment out the ssh line in inetd.conf and restart the inetd ... (freebsd-questions) Re: sshd crashing server ... > sshd seems to be crashing my server. ... I am running sshd version ... page fault while in kernel mode ... (freebsd-questions) Re: Disbaling direct remote root logins using SSH ... Dave Uhring wrote: ... > But you have not shown where tcp_wrappers is used to control access to ... > sshd. ... on at least a dozen machines and resricted access 'on the fly'. ... (comp.unix.solaris)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint