RE: Provide SSH to someone w/ dynamic IP address {Scanned}

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tom:

	The issue becomes one of exposure to brute force attacks.  Once you
have a port responding for a known service, you can attack it with an
automated tool that tries generating the user and password info
methodically.  For speed, they try combinations of dictionary words first,
then use calculated possibilities after that.  If you don't get detected
from a bandwidth usage standpoint, you can let these things run for days,
breaking through over time if the user name and password schemes aren't
randomized enough.

Scully


-----Original Message-----
From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx]
On Behalf Of Tom Klem
Sent: Wednesday, September 08, 2004 12:22 AM
To: Benjamin@xxxxxxxxxx; redhat-list@xxxxxxxxxx
Subject: Re: Provide SSH to someone w/ dynamic IP address {Scanned}

What about "only allow users" ?

The casual observer will not know for sure why no logon for them will work,
and if they happen to hit one of your valid users, the
password/authentication should stop them, yes?

Tom Klem


*********** REPLY SEPARATOR  ***********

On 09/05/2004 at 9:26 AM Benjamin J. Weiss wrote:

>On Sat, 4 Sep 2004, Lew Bloch wrote:
>
>> >> How about moving sshd from 22 to another port (85?) that only you and
>he
>> >> would know. Then he would ssh to -p 85. Anyone ssh to -p 22 would get
>a
>> >> timeout.
>> > 
>> > Thought about that...but if anyone is port scanning my network they
>would
>> > evently find the open port and it's a matter to time.
>> 
>> OK, then they know you exist, but that doesn't necessarily mean they can 
>> compromise your system.  I haven't figured out how to be generally 
>> invisible except to friendlies, but one can allow ingress to members of 
>> only specific groups via the /etc/ssh/sshd_config "AllowGroups" entry 
>> (or to specific users via "AllowUsers").
>> 
>> For example, you can create a group "frobozz" and put your friend's id 
>> in that group, then put a line in /etc/ssh/sshd_config
>> 	"AllowGroups" frobozz
>> 
>> Of course, you'll also want to have a line
>> 	PermitRootLogin no
>> 
>> I, too, am curious how to make the port visible to only the select few, 
>> but I don't think it can be done.  The best I've found is to deny entry 
>> to those undesirables who do find my (non-standard) SSH port.  Is there 
>> such a magic bullet?
>
>
>I think that y'all are looking for something called "port knocking":
>
>http://netsecurity.about.com/cs/generalsecurity/a/aa032004.htm
>
>Basic idea...a daemon listens to all connection attempts to all ports.  
>When it detects a specific pattern, it will open the port that you define.
> 
>It won't help if somebody's actually sniffing one of the end-points, 
>because the bad guy will be able to record the knock sequence.  Other than 
>that, it's not a bad idea.
>
>I haven't used it, but there's a linux program that claims to do this:
>
>http://www.zeroflux.org/knock/
>
>Good luck.
>
>Ben
>
>
>-- 
>redhat-list mailing list
>unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
>https://www.redhat.com/mailman/listinfo/redhat-list




-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list


-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux