Re: openssh concerns



Garrett Wollman wrote:
<<On Thu, 01 Oct 2009 17:13:55 -0700, johnea <me@xxxxxxxxxx> said:

The thing that concerned me is an entry I saw in netstat showing
my system connecting back to a machine that was attempting to log
in to ssh.

Does the ssh server establish a socket to a client attempting login?

The SSH protocol does not, but you appear to be using "TCP wrappers"
(/etc/hosts.allow) configured in such a way that it make an IDENT
protocol request back to the originating server. This is rarely
likely to do anything useful and should probably be disabled.

tcp4 0 0 atom.60448 host154.advance.com.ar.auth TIME_WAIT

"auth" is the port number used by the IDENT protocol.

-GAWollman

Thank You to everyone who responded!

In fact I did discover these lines in hosts.allow:

31-# Protect against simple DNS spoofing attacks by checking that the
32-# forward and reverse records for the remote host match. If a mismatch
33-# occurs, access is denied, and any positive ident response within
34-# 20 seconds is logged. No protection is afforded against DNS poisoning,
35-# IP spoofing or more complicated attacks. Hosts with no reverse DNS
36-# pass this rule.
37:ALL : PARANOID : RFC931 20 : deny

This is what was generating the auth protocol socket.

I've disabled it to prevent the establishment of the auth socket to hosts
who are attempting to breakin.

Per another suggestion I also intend to change the port for ssh to a
non-standard number (after synchronizing with the users of course 8-)

Maybe I'm a little paranoid, but after watching the level of spam ever
increasing over the last 5 years, and more and more people moving to
big (monopolistic?) service providers like google and hotmail. I've
wondered if these big corporate service providers don't tolerate the
spam level in order to prevent anyone who doesn't have a building full
of IT staff from running their own mail servers.

Perhaps with the help of people like those on this list, the internet
won't have to be abandoned by independents?

Thanks again to everyone!

johnea
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: ssh doing dns lookup when it shouldnt.
    ... use ssh protocol version 1. ... best regards, ... > with respect to dns and hosts. ... > the dns, and pick whichever one works or something. ...
    (comp.security.ssh)
  • Re: ssh doing dns lookup when it shouldnt.
    ... I have done some further checking and this does not seem to be an ssh ... SSH uses the newer gethostinfo() function which is supposed to ... with respect to dns and hosts. ... the dns, and pick whichever one works or something. ...
    (comp.security.ssh)
  • Re: Beating the spam filter ...
    ... A name that is not a machine's internal identity is more easily moved to refer to another machine, and that capability seems to be driving a lot of the interesting novelty in IT these days. ... You use names to refer to services where as I use names to refer to hosts and then use CNAMEs to refer service names to hosts. ... I think using the RFC-I lists for spam control is properly career-limiting for a mail admin, but people do use them, and the "bogus MX" list is probably the least problematic. ... That name carries a complex meaning to me and about a dozen other people, and it is in DNS from the viewpoint of tens of thousands of other machines. ...
    (comp.mail.sendmail)
  • Re: Cant see out to .co.uk from inside my .local domain (forward l
    ... and you do need to find out where the problem is in your DNS. ... just add another entry in your hosts file referencing ... network only from the server which I changed the hosts file for. ... us to resolve the issue with DNS. ...
    (microsoft.public.windows.server.sbs)
  • Re: Solaris NIS server and Linux NIS client : problems
    ... Changed nsswitch.conf for hosts values. ... hosts: nis dns files ... Sep 2 09:59:57 spock ypbind: bound to NIS server odin. ... Can't get map list for domain. ...
    (comp.os.linux.networking)