openssh concerns

István leccine at gmail.com
Fri Oct 2 15:32:27 UTC 2009 

Protect against simple DNS spoofing attacks by checking that the...


So if the ssh bruteforce is coming from a properly setup DNS host it is ok


:))))
On Fri, Oct 2, 2009 at 4:28 PM, johnea <me at johnea.net> wrote:

> Garrett Wollman wrote:
>
>> <<On Thu, 01 Oct 2009 17:13:55 -0700, johnea <me at johnea.net> said:
>>
>>  The thing that concerned me is an entry I saw in netstat showing
>>> my system connecting back to a machine that was attempting to log
>>> in to ssh.
>>>
>>
>>  Does the ssh server establish a socket to a client attempting login?
>>>
>>
>> The SSH protocol does not, but you appear to be using "TCP wrappers"
>> (/etc/hosts.allow) configured in such a way that it make an IDENT
>> protocol request back to the originating server.  This is rarely
>> likely to do anything useful and should probably be disabled.
>>
>>  tcp4       0      0 atom.60448             host154.advance.com.ar.auth
>>>  TIME_WAIT
>>>
>>
>> "auth" is the port number used by the IDENT protocol.
>>
>> -GAWollman
>>
>
> Thank You to everyone who responded!
>
> In fact I did discover these lines in hosts.allow:
>
> 31-# Protect against simple DNS spoofing attacks by checking that the
> 32-# forward and reverse records for the remote host match. If a mismatch
> 33-# occurs, access is denied, and any positive ident response within
> 34-# 20 seconds is logged. No protection is afforded against DNS poisoning,
> 35-# IP spoofing or more complicated attacks. Hosts with no reverse DNS
> 36-# pass this rule.
> 37:ALL : PARANOID : RFC931 20 : deny
>
> This is what was generating the auth protocol socket.
>
> I've disabled it to prevent the establishment of the auth socket to hosts
> who are attempting to breakin.
>
> Per another suggestion I also intend to change the port for ssh to a
> non-standard number (after synchronizing with the users of course 8-)
>
> Maybe I'm a little paranoid, but after watching the level of spam ever
> increasing over the last 5 years, and more and more people moving to
> big (monopolistic?) service providers like google and hotmail. I've
> wondered if these big corporate service providers don't tolerate the
> spam level in order to prevent anyone who doesn't have a building full
> of IT staff from running their own mail servers.
>
> Perhaps with the help of people like those on this list, the internet
> won't have to be abandoned by independents?
>
> Thanks again to everyone!
>
> johnea
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org
> "
>



-- 
the sun shines for all

More information about the freebsd-security mailing list