Re: openssh concerns



On Fri, 2 Oct 2009, johnea wrote:
Garrett Wollman wrote:
[..]
tcp4 0 0 atom.60448 host154.advance.com.ar.auth
TIME_WAIT

"auth" is the port number used by the IDENT protocol.

-GAWollman

Thank You to everyone who responded!

In fact I did discover these lines in hosts.allow:

31-# Protect against simple DNS spoofing attacks by checking that the
32-# forward and reverse records for the remote host match. If a mismatch
33-# occurs, access is denied, and any positive ident response within
34-# 20 seconds is logged. No protection is afforded against DNS poisoning,
35-# IP spoofing or more complicated attacks. Hosts with no reverse DNS
36-# pass this rule.
37:ALL : PARANOID : RFC931 20 : deny

This is what was generating the auth protocol socket.

I've disabled it to prevent the establishment of the auth socket to hosts
who are attempting to breakin.

Per another suggestion I also intend to change the port for ssh to a
non-standard number (after synchronizing with the users of course 8-)

This will provide the greatest relief against drive-by ssh probes, which
are pretty much background radiation these days. Some may decry it as
'security by obscurity', but who cares when it works so effectively :)

http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers provides a
reasonably useful list of ports NOT to choose for an obscure ssh port.

cheers, Ian
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"