[rescue] SGI fw_sshd and security
Dan Duncan
dand at pcisys.net
Fri Mar 5 16:53:51 CST 2004
I'm not sure there's much benefit to changing the port for ssh.
It was probably found during a wide spectrum scan rather than
a specific probe for ssh, so it will probably turn up anyway.
I guess you could have some benefit by putting ssh on a port where they'd
expect another daemon (ftp or sendmail or something) so any tools
they turned loose would be speaking the wrong protocol, but that's
more a security by obscurity than anything else. You could just
designate that machine as unclean and also firewall it away from your
others and sleep a little better if it does get hacked.
If you do move ssh, make sure it still responds on port 22 internally
or you'll just go nuts connecting between that machine and other machines
you may have inside because they won't agree on which port ssh should
reside and you'll get tired of having to remember whether or not to
use 22. If your firewall lets you redirect incoming requests on port X
to an internal IP's port Y, I would do it that way. (In fact, I DO do
it that way) On a previous firewall, I used xinetd on the ssh host
to redirect from 122 to 22 and then ssh ran on 22 as expected. I also
had ssh on 222, 322, etc, so I could hit different internal machines
with a single external IP... easier to remember. Same for 80, 180,
280, etc. host1 was +100, host2 was +200, etc.
I had someone hack one of my shell accounts recently. It was one
I used for email only (it had no other purpose) and I suspect they
sniffed the password when my cellphone was pulling mail via POP.
My new cellphone's POP client doesn't send the password in the
clear AND that account no longer has shell access AND I've rebuilt
the box AND it was in my pseudo-DMV anyway (meaning it was firewalled
off from my other systems) but it still pisses me off.
-DanD
--
# Dan Duncan (kd4igw) dand at pcisys.net http://pcisys.net/~dand
# If trees could scream, would we be so cavalier about cutting them down? We
# might, if they screamed all the time, for no good reason. -DEEP THOUGHTS
More information about the rescue
mailing list