RE: Provide SSH to someone w/ dynamic IP address {Scanned}
From: Tom Klem (thewiz_at_lvcablemodem.com)
Date: 09/09/04
- Previous message: Lito Lampitoc: "Re: Project Looking Glass available (screenshots at SUN)"
- In reply to: Michael Scully: "RE: Provide SSH to someone w/ dynamic IP address {Scanned}"
- Next in thread: MKlinke: "Re: Provide SSH to someone w/ dynamic IP address {Scanned}"
- Reply: MKlinke: "Re: Provide SSH to someone w/ dynamic IP address {Scanned}"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Wed, 08 Sep 2004 22:15:22 -0700 To: redhat-list@redhat.com
It is a very interesting problem.
I know that anything is possible, and I suppose that any port scanner will find port 22 open at any given time. Have you considered using another port? At least with that, they get a port open, for which they do not have a cookbook recipe, or hacker kiddie script. They are not sure what the purpose of the 'mysterious' port is, etcetera.
Just a thought.
Tom
*********** REPLY SEPARATOR ***********
On 09/08/2004 at 5:01 AM Michael Scully wrote:
>Tom:
>
> The issue becomes one of exposure to brute force attacks. Once you
>have a port responding for a known service, you can attack it with an
>automated tool that tries generating the user and password info
>methodically. For speed, they try combinations of dictionary words first,
>then use calculated possibilities after that. If you don't get detected
>from a bandwidth usage standpoint, you can let these things run for days,
>breaking through over time if the user name and password schemes aren't
>randomized enough.
>
>Scully
>
>
>-----Original Message-----
>From: redhat-list-bounces@redhat.com
>[mailto:redhat-list-bounces@redhat.com]
>On Behalf Of Tom Klem
>Sent: Wednesday, September 08, 2004 12:22 AM
>To: Benjamin@Weiss.name; redhat-list@redhat.com
>Subject: Re: Provide SSH to someone w/ dynamic IP address {Scanned}
>
>What about "only allow users" ?
>
>The casual observer will not know for sure why no logon for them will work,
>and if they happen to hit one of your valid users, the
>password/authentication should stop them, yes?
>
>Tom Klem
>
>
>*********** REPLY SEPARATOR ***********
>
>On 09/05/2004 at 9:26 AM Benjamin J. Weiss wrote:
>
>>On Sat, 4 Sep 2004, Lew Bloch wrote:
>>
>>> >> How about moving sshd from 22 to another port (85?) that only you and
>>he
>>> >> would know. Then he would ssh to -p 85. Anyone ssh to -p 22 would get
>>a
>>> >> timeout.
>>> >
>>> > Thought about that...but if anyone is port scanning my network they
>>would
>>> > evently find the open port and it's a matter to time.
>>>
>>> OK, then they know you exist, but that doesn't necessarily mean they
>can
>>> compromise your system. I haven't figured out how to be generally
>>> invisible except to friendlies, but one can allow ingress to members of
>>> only specific groups via the /etc/ssh/sshd_config "AllowGroups" entry
>>> (or to specific users via "AllowUsers").
>>>
>>> For example, you can create a group "frobozz" and put your friend's id
>>> in that group, then put a line in /etc/ssh/sshd_config
>>> "AllowGroups" frobozz
>>>
>>> Of course, you'll also want to have a line
>>> PermitRootLogin no
>>>
>>> I, too, am curious how to make the port visible to only the select few,
>>> but I don't think it can be done. The best I've found is to deny entry
>>> to those undesirables who do find my (non-standard) SSH port. Is there
>>> such a magic bullet?
>>
>>
>>I think that y'all are looking for something called "port knocking":
>>
>>http://netsecurity.about.com/cs/generalsecurity/a/aa032004.htm
>>
>>Basic idea...a daemon listens to all connection attempts to all ports.
>>When it detects a specific pattern, it will open the port that you define.
>>
>>It won't help if somebody's actually sniffing one of the end-points,
>>because the bad guy will be able to record the knock sequence. Other
>than
>>that, it's not a bad idea.
>>
>>I haven't used it, but there's a linux program that claims to do this:
>>
>>http://www.zeroflux.org/knock/
>>
>>Good luck.
>>
>>Ben
>>
>>
>>--
>>redhat-list mailing list
>>unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
>>https://www.redhat.com/mailman/listinfo/redhat-list
>
>
>
>
>--
>redhat-list mailing list
>unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
>https://www.redhat.com/mailman/listinfo/redhat-list
>
>
>--
>redhat-list mailing list
>unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
>https://www.redhat.com/mailman/listinfo/redhat-list
-- redhat-list mailing list unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
- Previous message: Lito Lampitoc: "Re: Project Looking Glass available (screenshots at SUN)"
- In reply to: Michael Scully: "RE: Provide SSH to someone w/ dynamic IP address {Scanned}"
- Next in thread: MKlinke: "Re: Provide SSH to someone w/ dynamic IP address {Scanned}"
- Reply: MKlinke: "Re: Provide SSH to someone w/ dynamic IP address {Scanned}"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
