Brian W. <br...@brianwhalen.net> wrote: > On 12/29/2009 3:45 AM, Edwin Groothuis wrote: > > On all systems which need to be accessible from the public Internet: > > Run sshd on port 22 and port 8022. Block incoming traffic on port > > 22 on your firewall. > > > > Everybody coming from the outside world needs to know it is running > > on port 8022. Everybody coming from the inside world has access as > > normal. > > I seem to recall on one of the openbsd lists someone speaking of risks > of running sshd or other services on high numbered ports, presumably > because a non root user cannot bind ports up to 1024.
That's probably because OpenBSD doesn't have mac_portacl(4). ;-) But basically it's right: You should never run any important services (including sshd) on ports that might be bound by unprivileged users. The basic problem is that, if the sshd daemon happens to die for some reason, an unprivileged user could run his own ssh daemon (presumably a hacked/modified one) on the same port. Of course he doesn't have the private host keys, and he can't really let users log in to the real system, so his fake ssh daemon will be discovered rather sooner than later, but it might be enough to steal some sensitive information from unsuspecting users. Historically, unprivileged users cannot bind services to port numbers below 1024, so those port numbers were considered "safe" regarding the above problem. However, that concept is somewhat diluted today, because you can change the range of privileged port numbers on many (most?) operating systems. On FreeBSD there are some sysctls that default to the historical range: net.inet.ip.portrange.reservedhigh: 1023 net.inet.ip.portrange.reservedlow: 0 So, theoretically you can set the "reservedhigh" value to 8022, and then you can safely run sshd on that port number. You can even set the sysctl to 65535, completely preventing users from running _any_ services. However, this also prevents them from using active FTP and other things. A better way is to use FreeBSD's mac_portacl(4) which is quite easy to use. It enables you to install rules that specify exactly to which ports user processes are allowed to bind. So you can specifically protect the single port number 8022, for example. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "We, the unwilling, led by the unknowing, are doing the impossible for the ungrateful. We have done so much, for so long, with so little, we are now qualified to do anything with nothing." -- Mother Teresa _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
