openssh concerns
Robert Watson
rwatson at FreeBSD.org
Sun Oct 11 14:52:39 UTC 2009
On Thu, 8 Oct 2009, Oliver Fromme wrote:
> Are you sure? The majority of BSD machines in my vicinity have multiple
> accounts.
>
> And even if there's only one account, there is no reason to be careless with
> potential port-takeover risks.
>
> Therefore I advise against running critical daemons on unprivileged ports,
> especially on machines with shell accounts. And if you need to bind to a
> port >= 1024, use mac_portacl(4) to protect it. It's easy to use.
> Alternatively you can increase the value of the sysctl
> net.inet.ip.portrange.reservedhigh, but this is less flexible and might have
> unwanted side effects.
And, for those that haven't already noticed, "options MAC" is compiled into
GENERIC on 8.0, so working with MAC policies no longer requires a recompile
(or in many cases, even a reboot).
Robert N M Watson
Computer Laboratory
University of Cambridge
More information about the freebsd-stable
mailing list