Re: openssh concerns
- From: johnea <me@xxxxxxxxxx>
- Date: Fri, 02 Oct 2009 08:28:11 -0700
Garrett Wollman wrote:
<<On Thu, 01 Oct 2009 17:13:55 -0700, johnea <me@xxxxxxxxxx> said:
The thing that concerned me is an entry I saw in netstat showing
my system connecting back to a machine that was attempting to log
in to ssh.
Does the ssh server establish a socket to a client attempting login?
The SSH protocol does not, but you appear to be using "TCP wrappers"
(/etc/hosts.allow) configured in such a way that it make an IDENT
protocol request back to the originating server. This is rarely
likely to do anything useful and should probably be disabled.
tcp4 0 0 atom.60448 host154.advance.com.ar.auth TIME_WAIT
"auth" is the port number used by the IDENT protocol.
Thank You to everyone who responded!
In fact I did discover these lines in hosts.allow:
31-# Protect against simple DNS spoofing attacks by checking that the
32-# forward and reverse records for the remote host match. If a mismatch
33-# occurs, access is denied, and any positive ident response within
34-# 20 seconds is logged. No protection is afforded against DNS poisoning,
35-# IP spoofing or more complicated attacks. Hosts with no reverse DNS
36-# pass this rule.
37:ALL : PARANOID : RFC931 20 : deny
This is what was generating the auth protocol socket.
I've disabled it to prevent the establishment of the auth socket to hosts
who are attempting to breakin.
Per another suggestion I also intend to change the port for ssh to a
non-standard number (after synchronizing with the users of course 8-)
Maybe I'm a little paranoid, but after watching the level of spam ever
increasing over the last 5 years, and more and more people moving to
big (monopolistic?) service providers like google and hotmail. I've
wondered if these big corporate service providers don't tolerate the
spam level in order to prevent anyone who doesn't have a building full
of IT staff from running their own mail servers.
Perhaps with the help of people like those on this list, the internet
won't have to be abandoned by independents?
Thanks again to everyone!
freebsd-security@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
- Prev by Date: Re: Update on protection against slowloris
- Next by Date: Re: openssh concerns
- Previous by thread: openssh concerns
- Next by thread: Re: openssh concerns