What about "only allow users" ? The casual observer will not know for sure why no logon for them will work, and if they happen to hit one of your valid users, the password/authentication should stop them, yes? Tom Klem *********** REPLY SEPARATOR *********** On 09/05/2004 at 9:26 AM Benjamin J. Weiss wrote: >On Sat, 4 Sep 2004, Lew Bloch wrote: > >> >> How about moving sshd from 22 to another port (85?) that only you and >he >> >> would know. Then he would ssh to -p 85. Anyone ssh to -p 22 would get >a >> >> timeout. >> > >> > Thought about that...but if anyone is port scanning my network they >would >> > evently find the open port and it's a matter to time. >> >> OK, then they know you exist, but that doesn't necessarily mean they can >> compromise your system. I haven't figured out how to be generally >> invisible except to friendlies, but one can allow ingress to members of >> only specific groups via the /etc/ssh/sshd_config "AllowGroups" entry >> (or to specific users via "AllowUsers"). >> >> For example, you can create a group "frobozz" and put your friend's id >> in that group, then put a line in /etc/ssh/sshd_config >> "AllowGroups" frobozz >> >> Of course, you'll also want to have a line >> PermitRootLogin no >> >> I, too, am curious how to make the port visible to only the select few, >> but I don't think it can be done. The best I've found is to deny entry >> to those undesirables who do find my (non-standard) SSH port. Is there >> such a magic bullet? > > >I think that y'all are looking for something called "port knocking": > >http://netsecurity.about.com/cs/generalsecurity/a/aa032004.htm > >Basic idea...a daemon listens to all connection attempts to all ports. >When it detects a specific pattern, it will open the port that you define. > >It won't help if somebody's actually sniffing one of the end-points, >because the bad guy will be able to record the knock sequence. Other than >that, it's not a bad idea. > >I haven't used it, but there's a linux program that claims to do this: > >http://www.zeroflux.org/knock/ > >Good luck. > >Ben > > >-- >redhat-list mailing list >unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe >https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
