openssh concerns
Ian Smith
smithi at nimnet.asn.au
Fri Oct 2 19:09:25 UTC 2009
On Fri, 2 Oct 2009, johnea wrote:
> Garrett Wollman wrote:
[..]
> > > tcp4 0 0 atom.60448 host154.advance.com.ar.auth
> > > TIME_WAIT
> >
> > "auth" is the port number used by the IDENT protocol.
> >
> > -GAWollman
>
> Thank You to everyone who responded!
>
> In fact I did discover these lines in hosts.allow:
>
> 31-# Protect against simple DNS spoofing attacks by checking that the
> 32-# forward and reverse records for the remote host match. If a mismatch
> 33-# occurs, access is denied, and any positive ident response within
> 34-# 20 seconds is logged. No protection is afforded against DNS poisoning,
> 35-# IP spoofing or more complicated attacks. Hosts with no reverse DNS
> 36-# pass this rule.
> 37:ALL : PARANOID : RFC931 20 : deny
>
> This is what was generating the auth protocol socket.
>
> I've disabled it to prevent the establishment of the auth socket to hosts
> who are attempting to breakin.
>
> Per another suggestion I also intend to change the port for ssh to a
> non-standard number (after synchronizing with the users of course 8-)
This will provide the greatest relief against drive-by ssh probes, which
are pretty much background radiation these days. Some may decry it as
'security by obscurity', but who cares when it works so effectively :)
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers provides a
reasonably useful list of ports NOT to choose for an obscure ssh port.
cheers, Ian
More information about the freebsd-security
mailing list