Provide SSH to someone w/ dynamic IP address {Scanned}

Michael Scully agentscully at flexiblestrategies.com
Wed Sep 8 12:01:53 UTC 2004 

Tom:

	The issue becomes one of exposure to brute force attacks.  Once you
have a port responding for a known service, you can attack it with an
automated tool that tries generating the user and password info
methodically.  For speed, they try combinations of dictionary words first,
then use calculated possibilities after that.  If you don't get detected
from a bandwidth usage standpoint, you can let these things run for days,
breaking through over time if the user name and password schemes aren't
randomized enough.

Scully


-----Original Message-----
From: redhat-list-bounces at redhat.com [mailto:redhat-list-bounces at redhat.com]
On Behalf Of Tom Klem
Sent: Wednesday, September 08, 2004 12:22 AM
To: Benjamin at Weiss.name; redhat-list at redhat.com
Subject: Re: Provide SSH to someone w/ dynamic IP address {Scanned}

What about "only allow users" ?

The casual observer will not know for sure why no logon for them will work,
and if they happen to hit one of your valid users, the
password/authentication should stop them, yes?

Tom Klem


*********** REPLY SEPARATOR  ***********

On 09/05/2004 at 9:26 AM Benjamin J. Weiss wrote:

>On Sat, 4 Sep 2004, Lew Bloch wrote:
>
>> >> How about moving sshd from 22 to another port (85?) that only you and
>he
>> >> would know. Then he would ssh to -p 85. Anyone ssh to -p 22 would get
>a
>> >> timeout.
>> > 
>> > Thought about that...but if anyone is port scanning my network they
>would
>> > evently find the open port and it's a matter to time.
>> 
>> OK, then they know you exist, but that doesn't necessarily mean they can 
>> compromise your system.  I haven't figured out how to be generally 
>> invisible except to friendlies, but one can allow ingress to members of 
>> only specific groups via the /etc/ssh/sshd_config "AllowGroups" entry 
>> (or to specific users via "AllowUsers").
>> 
>> For example, you can create a group "frobozz" and put your friend's id 
>> in that group, then put a line in /etc/ssh/sshd_config
>> 	"AllowGroups" frobozz
>> 
>> Of course, you'll also want to have a line
>> 	PermitRootLogin no
>> 
>> I, too, am curious how to make the port visible to only the select few, 
>> but I don't think it can be done.  The best I've found is to deny entry 
>> to those undesirables who do find my (non-standard) SSH port.  Is there 
>> such a magic bullet?
>
>
>I think that y'all are looking for something called "port knocking":
>
>http://netsecurity.about.com/cs/generalsecurity/a/aa032004.htm
>
>Basic idea...a daemon listens to all connection attempts to all ports.  
>When it detects a specific pattern, it will open the port that you define.
> 
>It won't help if somebody's actually sniffing one of the end-points, 
>because the bad guy will be able to record the knock sequence.  Other than 
>that, it's not a bad idea.
>
>I haven't used it, but there's a linux program that claims to do this:
>
>http://www.zeroflux.org/knock/
>
>Good luck.
>
>Ben
>
>
>-- 
>redhat-list mailing list
>unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>https://www.redhat.com/mailman/listinfo/redhat-list




-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list