It is a very interesting problem. I know that anything is possible, and I suppose that any port scanner will find port 22 open at any given time. Have you considered using another port? At least with that, they get a port open, for which they do not have a cookbook recipe, or hacker kiddie script. They are not sure what the purpose of the 'mysterious' port is, etcetera. Just a thought. Tom *********** REPLY SEPARATOR *********** On 09/08/2004 at 5:01 AM Michael Scully wrote: >Tom: > > The issue becomes one of exposure to brute force attacks. Once you >have a port responding for a known service, you can attack it with an >automated tool that tries generating the user and password info >methodically. For speed, they try combinations of dictionary words first, >then use calculated possibilities after that. If you don't get detected >from a bandwidth usage standpoint, you can let these things run for days, >breaking through over time if the user name and password schemes aren't >randomized enough. > >Scully > > >-----Original Message----- >From: redhat-list-bounces@xxxxxxxxxx >[mailto:redhat-list-bounces@xxxxxxxxxx] >On Behalf Of Tom Klem >Sent: Wednesday, September 08, 2004 12:22 AM >To: Benjamin@xxxxxxxxxx; redhat-list@xxxxxxxxxx >Subject: Re: Provide SSH to someone w/ dynamic IP address {Scanned} > >What about "only allow users" ? > >The casual observer will not know for sure why no logon for them will work, >and if they happen to hit one of your valid users, the >password/authentication should stop them, yes? > >Tom Klem > > >*********** REPLY SEPARATOR *********** > >On 09/05/2004 at 9:26 AM Benjamin J. Weiss wrote: > >>On Sat, 4 Sep 2004, Lew Bloch wrote: >> >>> >> How about moving sshd from 22 to another port (85?) that only you and >>he >>> >> would know. Then he would ssh to -p 85. Anyone ssh to -p 22 would get >>a >>> >> timeout. >>> > >>> > Thought about that...but if anyone is port scanning my network they >>would >>> > evently find the open port and it's a matter to time. >>> >>> OK, then they know you exist, but that doesn't necessarily mean they >can >>> compromise your system. I haven't figured out how to be generally >>> invisible except to friendlies, but one can allow ingress to members of >>> only specific groups via the /etc/ssh/sshd_config "AllowGroups" entry >>> (or to specific users via "AllowUsers"). >>> >>> For example, you can create a group "frobozz" and put your friend's id >>> in that group, then put a line in /etc/ssh/sshd_config >>> "AllowGroups" frobozz >>> >>> Of course, you'll also want to have a line >>> PermitRootLogin no >>> >>> I, too, am curious how to make the port visible to only the select few, >>> but I don't think it can be done. The best I've found is to deny entry >>> to those undesirables who do find my (non-standard) SSH port. Is there >>> such a magic bullet? >> >> >>I think that y'all are looking for something called "port knocking": >> >>http://netsecurity.about.com/cs/generalsecurity/a/aa032004.htm >> >>Basic idea...a daemon listens to all connection attempts to all ports. >>When it detects a specific pattern, it will open the port that you define. >> >>It won't help if somebody's actually sniffing one of the end-points, >>because the bad guy will be able to record the knock sequence. Other >than >>that, it's not a bad idea. >> >>I haven't used it, but there's a linux program that claims to do this: >> >>http://www.zeroflux.org/knock/ >> >>Good luck. >> >>Ben >> >> >>-- >>redhat-list mailing list >>unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe >>https://www.redhat.com/mailman/listinfo/redhat-list > > > > >-- >redhat-list mailing list >unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe >https://www.redhat.com/mailman/listinfo/redhat-list > > >-- >redhat-list mailing list >unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe >https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
