Hacked - FreeBSD 7.1-Release
Chris BeHanna
chris at behanna.org
Tue Dec 29 16:46:03 UTC 2009
On Dec 29, 2009, at 10:10 , Brian W. wrote:
> On 12/29/2009 3:45 AM, Edwin Groothuis wrote:
>> mpt to pass a Turing test or something.
>> On all systems which need to be accessible from the public Internet:
>> Run sshd on port 22 and port 8022. Block incoming traffic on port
>> 22 on your firewall.
>>
>> Everybody coming from the outside world needs to know it is running
>> on port 8022. Everybody coming from the inside world has access as
>> normal.
>>
>> Edwin
>>
> I seem to recall on one of the openbsd lists someone speaking of risks of running sshd or other services on high numbered ports, presumably because a non root user cannot bind ports up to 1024.
On a multi-user machine, where you want to keep students or others from spoofing on machines on which they have logins but which you manage (i.e., they don't have root or sudo), this makes sense--ON THE SERVER SIDE. The connecting client's port is going to be above 1024 anyway, and the client doesn't really care on which port the server is running.
In this day and age, when anyone, black hat or white, can stand up their own *ix box and run whatever they want on whatever port, the notion of only connecting to "privileged ports" as a way of protecting yourself (e.g., from password sniffing or whatever) is rather quaint and ineffective.
--
Chris BeHanna
chris at behanna.org
More information about the freebsd-stable
mailing list