openssh concerns
Daniel Roethlisberger
daniel at roe.ch
Mon Oct 12 09:45:24 UTC 2009
Robert Watson <rwatson at FreeBSD.org> 2009-10-11:
> On Thu, 8 Oct 2009, Oliver Fromme wrote:
> >Are you sure? The majority of BSD machines in my vicinity
> >have multiple accounts.
> >
> >And even if there's only one account, there is no reason to be
> >careless with potential port-takeover risks.
> >
> >Therefore I advise against running critical daemons on
> >unprivileged ports, especially on machines with shell
> >accounts. And if you need to bind to a port >= 1024, use
> >mac_portacl(4) to protect it. It's easy to use.
> >Alternatively you can increase the value of the sysctl
> >net.inet.ip.portrange.reservedhigh, but this is less flexible
> >and might have unwanted side effects.
>
> And, for those that haven't already noticed, "options MAC" is
> compiled into GENERIC on 8.0, so working with MAC policies no
> longer requires a recompile (or in many cases, even a reboot).
If your situation allows running pf, then there's an alternative
method: bind sshd normally to port 22, but use pf to deny direct
connections to port 22, redirecting connections to some high port
X to port 22 using a `rdr pass' rule. You can even make
exceptions for trusted IP address ranges which are then allowed
to SSH in directly on port 22. That way, an unprivileged process
will gain nothing by listening on high port X; it won't get to
accept() any SSH connections.
--
Daniel Roethlisberger
http://daniel.roe.ch/
More information about the freebsd-stable
mailing list