chris at noncombatant.org
Mon Oct 5 22:57:43 UTC 2009
Doug Barton writes:
> > However, I'm concerned about the suggestion of using an unprivileged
> > port
> Please explain your reasoning, and how it's relevant in a world where the
> vast majority of Internet users have complete administrative control over
> the systems they use.
Shared shell servers do still exist, and on such systems, it would be unwise
to allow low-privilege users to be able to listen on what the other users
think the "official" SSH port is. The port ACL idea, and the port != 22 &&
port < 1024 idea, therefore still make sense.
Of course, can we really trust that local low-privilege users can't escalate
to root? Sob.
As for the log spam issue, the problem is more general than just SSH -- do
you have your web server listen on port 81, too? ;) There's tons of spam in
there, and there's tons of real stuff in there. Web apps are real apps...
what are people doing with them?
The general solution is something like Marcus Ranum's "artificial
ignorance". Whether it is a cheap-ass Python script like mine or a real
grown-up log management system like Splunk, you want something that lets you
easily see the real stuff and ignore the spam for ALL your apps, not just
SSH. It doesn't take much effort to generate the cheap-ass solution (ping me
privately if you want my trivial code), but the pay-off is huge. Imagine
relevant cron emails! The dream is alive...
More information about the freebsd-security