RE: Provide SSH to someone w/ dynamic IP address {Scanned}

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



It is a very interesting problem.

I know that anything is possible, and I suppose that any port scanner will find port 22 open at any given time. Have you considered using another port? At least with that, they get a port open, for which they do not have a cookbook recipe, or hacker kiddie script. They are not sure what the purpose of the 'mysterious' port is, etcetera.

Just a thought.

Tom

*********** REPLY SEPARATOR  ***********

On 09/08/2004 at 5:01 AM Michael Scully wrote:

>Tom:
>
>	The issue becomes one of exposure to brute force attacks.  Once you
>have a port responding for a known service, you can attack it with an
>automated tool that tries generating the user and password info
>methodically.  For speed, they try combinations of dictionary words first,
>then use calculated possibilities after that.  If you don't get detected
>from a bandwidth usage standpoint, you can let these things run for days,
>breaking through over time if the user name and password schemes aren't
>randomized enough.
>
>Scully
>
>
>-----Original Message-----
>From: redhat-list-bounces@xxxxxxxxxx
>[mailto:redhat-list-bounces@xxxxxxxxxx]
>On Behalf Of Tom Klem
>Sent: Wednesday, September 08, 2004 12:22 AM
>To: Benjamin@xxxxxxxxxx; redhat-list@xxxxxxxxxx
>Subject: Re: Provide SSH to someone w/ dynamic IP address {Scanned}
>
>What about "only allow users" ?
>
>The casual observer will not know for sure why no logon for them will work,
>and if they happen to hit one of your valid users, the
>password/authentication should stop them, yes?
>
>Tom Klem
>
>
>*********** REPLY SEPARATOR  ***********
>
>On 09/05/2004 at 9:26 AM Benjamin J. Weiss wrote:
>
>>On Sat, 4 Sep 2004, Lew Bloch wrote:
>>
>>> >> How about moving sshd from 22 to another port (85?) that only you and
>>he
>>> >> would know. Then he would ssh to -p 85. Anyone ssh to -p 22 would get
>>a
>>> >> timeout.
>>> > 
>>> > Thought about that...but if anyone is port scanning my network they
>>would
>>> > evently find the open port and it's a matter to time.
>>> 
>>> OK, then they know you exist, but that doesn't necessarily mean they
>can 
>>> compromise your system.  I haven't figured out how to be generally 
>>> invisible except to friendlies, but one can allow ingress to members of 
>>> only specific groups via the /etc/ssh/sshd_config "AllowGroups" entry 
>>> (or to specific users via "AllowUsers").
>>> 
>>> For example, you can create a group "frobozz" and put your friend's id 
>>> in that group, then put a line in /etc/ssh/sshd_config
>>> 	"AllowGroups" frobozz
>>> 
>>> Of course, you'll also want to have a line
>>> 	PermitRootLogin no
>>> 
>>> I, too, am curious how to make the port visible to only the select few, 
>>> but I don't think it can be done.  The best I've found is to deny entry 
>>> to those undesirables who do find my (non-standard) SSH port.  Is there 
>>> such a magic bullet?
>>
>>
>>I think that y'all are looking for something called "port knocking":
>>
>>http://netsecurity.about.com/cs/generalsecurity/a/aa032004.htm
>>
>>Basic idea...a daemon listens to all connection attempts to all ports.  
>>When it detects a specific pattern, it will open the port that you define.
>> 
>>It won't help if somebody's actually sniffing one of the end-points, 
>>because the bad guy will be able to record the knock sequence.  Other
>than 
>>that, it's not a bad idea.
>>
>>I haven't used it, but there's a linux program that claims to do this:
>>
>>http://www.zeroflux.org/knock/
>>
>>Good luck.
>>
>>Ben
>>
>>
>>-- 
>>redhat-list mailing list
>>unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
>>https://www.redhat.com/mailman/listinfo/redhat-list
>
>
>
>
>-- 
>redhat-list mailing list
>unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
>https://www.redhat.com/mailman/listinfo/redhat-list
>
>
>-- 
>redhat-list mailing list
>unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
>https://www.redhat.com/mailman/listinfo/redhat-list




-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux