Hacked - FreeBSD 7.1-Release

Oliver Fromme olli at lurza.secnetix.de
Tue Dec 29 19:47:17 UTC 2009 

Brian W. <brian at brianwhalen.net> wrote:
 > On 12/29/2009 3:45 AM, Edwin Groothuis wrote:
 > > On all systems which need to be accessible from the public Internet:
 > > Run sshd on port 22 and port 8022. Block incoming traffic on port
 > > 22 on your firewall.
 > > 
 > > Everybody coming from the outside world needs to know it is running
 > > on port 8022. Everybody coming from the inside world has access as
 > > normal.
 > 
 > I seem to recall on one of the openbsd lists someone speaking of risks 
 > of running sshd or other services on high numbered ports, presumably 
 > because a non root user cannot bind ports up to 1024.

That's probably because OpenBSD doesn't have mac_portacl(4).  ;-)

But basically it's right:  You should never run any
important services (including sshd) on ports that might
be bound by unprivileged users.

The basic problem is that, if the sshd daemon happens to
die for some reason, an unprivileged user could run his
own ssh daemon (presumably a hacked/modified one) on the
same port.  Of course he doesn't have the private host
keys, and he can't really let users log in to the real
system, so his fake ssh daemon will be discovered rather
sooner than later, but it might be enough to steal some
sensitive information from unsuspecting users.

Historically, unprivileged users cannot bind services to
port numbers below 1024, so those port numbers were
considered "safe" regarding the above problem.

However, that concept is somewhat diluted today, because
you can change the range of privileged port numbers on
many (most?) operating systems.  On FreeBSD there are
some sysctls that default to the historical range:

net.inet.ip.portrange.reservedhigh: 1023
net.inet.ip.portrange.reservedlow: 0

So, theoretically you can set the "reservedhigh" value to
8022, and then you can safely run sshd on that port number.
You can even set the sysctl to 65535, completely preventing
users from running _any_ services.  However, this also
prevents them from using active FTP and other things.

A better way is to use FreeBSD's mac_portacl(4) which is
quite easy to use.  It enables you to install rules that
specify exactly to which ports user processes are allowed
to bind.  So you can specifically protect the single port
number 8022, for example.

Best regards
   Oliver

-- 
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758,  Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd

"We, the unwilling, led by the unknowing,
are doing the impossible for the ungrateful.
We have done so much, for so long, with so little,
we are now qualified to do anything with nothing."
        -- Mother Teresa

More information about the freebsd-stable mailing list