Tom: The issue becomes one of exposure to brute force attacks. Once you have a port responding for a known service, you can attack it with an automated tool that tries generating the user and password info methodically. For speed, they try combinations of dictionary words first, then use calculated possibilities after that. If you don't get detected from a bandwidth usage standpoint, you can let these things run for days, breaking through over time if the user name and password schemes aren't randomized enough. Scully -----Original Message----- From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Tom Klem Sent: Wednesday, September 08, 2004 12:22 AM To: Benjamin@xxxxxxxxxx; redhat-list@xxxxxxxxxx Subject: Re: Provide SSH to someone w/ dynamic IP address {Scanned} What about "only allow users" ? The casual observer will not know for sure why no logon for them will work, and if they happen to hit one of your valid users, the password/authentication should stop them, yes? Tom Klem *********** REPLY SEPARATOR *********** On 09/05/2004 at 9:26 AM Benjamin J. Weiss wrote: >On Sat, 4 Sep 2004, Lew Bloch wrote: > >> >> How about moving sshd from 22 to another port (85?) that only you and >he >> >> would know. Then he would ssh to -p 85. Anyone ssh to -p 22 would get >a >> >> timeout. >> > >> > Thought about that...but if anyone is port scanning my network they >would >> > evently find the open port and it's a matter to time. >> >> OK, then they know you exist, but that doesn't necessarily mean they can >> compromise your system. I haven't figured out how to be generally >> invisible except to friendlies, but one can allow ingress to members of >> only specific groups via the /etc/ssh/sshd_config "AllowGroups" entry >> (or to specific users via "AllowUsers"). >> >> For example, you can create a group "frobozz" and put your friend's id >> in that group, then put a line in /etc/ssh/sshd_config >> "AllowGroups" frobozz >> >> Of course, you'll also want to have a line >> PermitRootLogin no >> >> I, too, am curious how to make the port visible to only the select few, >> but I don't think it can be done. The best I've found is to deny entry >> to those undesirables who do find my (non-standard) SSH port. Is there >> such a magic bullet? > > >I think that y'all are looking for something called "port knocking": > >http://netsecurity.about.com/cs/generalsecurity/a/aa032004.htm > >Basic idea...a daemon listens to all connection attempts to all ports. >When it detects a specific pattern, it will open the port that you define. > >It won't help if somebody's actually sniffing one of the end-points, >because the bad guy will be able to record the knock sequence. Other than >that, it's not a bad idea. > >I haven't used it, but there's a linux program that claims to do this: > >http://www.zeroflux.org/knock/ > >Good luck. > >Ben > > >-- >redhat-list mailing list >unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe >https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
