Need urgent help regarding security

Marian Hettwer MH at kernel32.de
Mon Nov 21 05:14:14 PST 2005 

Hi Jeremie,

Jeremie Le Hen wrote:
> Hi, Marian,
> 
> 
> 
> Security is not absolute, as you surely know considering the fact you
> seem to be quite sensitive to it.  I guess that most of running sshd(8)
> are bound to port tcp/22.  If a group of hackers find a hole in
> OpenSSH's sshd(8) implementation in a very early stage of the
> connection (IOW before authentication) but do not disclose it - and
> only God knows how many undisclosed holes there are - then one can
> figure they want to avail themselves of this hole by working in
> collaboration with spammers or whatever.  The best way they can work
> for this purpose is creating a massive exploitation tool in order to
> install as much spam agents as they can, before the hole is disclosed.
> Not having your sshd(8) bound to port 22 would save you from being
> exploited in this case.
>
you're right with that assumption. And yes, given the above scenario, 
letting the sshd run on a different port would help. However, your 
scenario counts to any daemon listening on any port. What would you like 
to do? Moving httpd, smtpd and whoever to another port? :)
I'd rather say, use any tools available within FreeBSD to make your box 
as secure as you need it to be. I'm thinking of fine things like 
kern.securelevel for instance :)


> Of course, if this particular group of hackers wants to defeat _your_
> network, this measure won't prevent them from exploiting your sshd(8).
>
right.

> There is no need to involve kiddies, given that the tools they are
> using would surely appear far after the correction of the hole in the
> next OpenSSH release and all serious network administrators would have
> upgraded their boxes.
> 
Being confident that the OpenSSH guys are good developers too, I'm not 
that much afraid of the hackers you mentioned above (and of course no 
script-kiddies either) :-)

> Please, don't turn this thread into a troll.
>
It's definetly not my intenion to troll. If somebody thinks that I do, 
I'm  sorry in advance. I just have the strong feeling that moving a 
daemon to another port (where it doesn't belong) won't gain any security.

best regards,
Marian

More information about the freebsd-security mailing list