openssh concerns
Oliver Fromme
olli at lurza.secnetix.de
Thu Oct 8 18:23:44 UTC 2009
Doug Barton wrote:
> Oliver Fromme wrote:
> > There are shell machines with lots of user accounts, none
> > of which have administrative control of the system.
>
> Sure there are, but they make up only a tiny fraction of the systems
> on the network today.
Are you sure? The majority of BSD machines in my vicinity
have multiple accounts.
And even if there's only one account, there is no reason
to be careless with potential port-takeover risks.
Therefore I advise against running critical daemons on
unprivileged ports, especially on machines with shell
accounts. And if you need to bind to a port >= 1024,
use mac_portacl(4) to protect it. It's easy to use.
Alternatively you can increase the value of the sysctl
net.inet.ip.portrange.reservedhigh, but this is less
flexible and might have unwanted side effects.
Best regards
Oliver
--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart
FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd
"C++ is the only current language making COBOL look good."
-- Bertrand Meyer
More information about the freebsd-stable
mailing list