Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 22 Oct 2011 17:10:23 +0200
From:      Polytropon <freebsd@edvax.de>
To:        nightrecon@hotmail.com
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Breakin attempt
Message-ID:  <20111022171023.b3ff11c5.freebsd@edvax.de>
In-Reply-To: <j7ulf8$k9d$1@dough.gmane.org>
References:  <000001cc90c0$a0c16050$e24420f0$@org> <4EA2CE72.5030202@cran.org.uk> <20111022161242.11803f76.freebsd@edvax.de> <j7ulf8$k9d$1@dough.gmane.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for your statement.

On Sat, 22 Oct 2011 10:54:49 -0400, Michael Powell wrote:
> One such relatively minor argument might be the use by external entities for 
> the ability to connect in a standardized way. Such a client may need to 
> connect but has no way of knowing in advance what port to use. The only 
> readily available means for them to locate you might be DNS, with them only 
> knowing you by hostname. 

This might be debatable in case of "public services", but
is not a problem in a somewhat "contract-driven" service
where terms of use exist, as well as instructions on how
to use the service. That's why I said this argument would
go to the pragmatic (or organisatoric) section, not to the
technical one. :-)



> I tend to discount this as they would still need some form of auth, whether 
> a user account/password combination or a certificate. In either case, this 
> needs to be configured in advance - so there's no reason a port number 
> couldn't be included when communicating how to login to the third party.

Fully agree.



> There is also some remote possibility that the third party has some internal 
> (albeit brain-dead) policy of mandating the use of some software that cannot 
> be configured to use a port other than 22. I would consider such a software 
> to be inherently 'broken by design', and not a good enough reason for me to 
> 'break' my system just to make them happy. After all, aren't they the ones 
> who want to connect to me and shouldn't the responsibility be on them to do 
> it in accordance with what I have configured?

That would have been my next idea: The "problem" that
"suddenly appears" when someone tries to connect to the
system with a program _not_ supplied with the contract,
trying :22 and complaining "it no workin!" -- that's not
a problem at all: "You are not supposed to use that program
or try to login that way. Please refer to the documentation
on how to properly do it." It's comparable to someone trying
to connect to a web server with a MUA. :-)



> I restrict any SSH access to my systems to certificate only, with password 
> turned off. Only a trusted few will have these certificates, and these people 
> will know what port to use because I told them.

Usable approach, although I try to educate about strong (!)
passwords and strong password rules. I see certificates as
the next stage of security _added_ to username/password.



> Just changing the port to 
> some high number non well-known will not entirely stop a port scan if said 
> scan is walking up every single port one after another.

Yes, I didn't assume the approach would _not_ show up in a
portscan. :-)

Still a portscan is the minority in wide-area attacks.



> But simply changing 
> it to something like 42347 works wonders for knocking down about 90% of 
> script-kiddies.

I thought so. The main attacks address the _default_ port,
and those are mostly static, i. e. they don't try other
ports or search for them.



> I just don't see SSH as the best tool for giving anonymous remote-access to 
> the general public of the IntarWebZ in general.

Oh, I was _not_ asking about anonymous access, that's what
the WebTuberZ'n'Stuff'Load is for. :-)



> If access is not anonymous 
> there must be some admin config done previous to the access.

The only valid choice here.



> Providing 
> anonymous access via SSH sort of defeats the purpose for using SSH in the 
> first place.   :-)

The words "anonymous access" and "secure shell" do contradict.
My EUR 0.02. :-)



-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111022171023.b3ff11c5.freebsd>