Re: reverse ssh
1. only refer to non-privileged ports 2. btw, ssh will warn you if the server cert changes, so if someone takes the port for it's ssh server, you will know i'll still stick with a non standard privileged port. On Tue, Jul 22, 2014 at 3:47 PM, Guy Gold wrote: > > > On 22 July 2014 00:52, Guy Gold wrote: >> >> Hi Erez, >> >> On Mon, Jul 21, 2014 at 4:18 AM, Erez D wrote: >>> >>> >>> it is not even a dynamic ip, it is a private ip behind a dynamic one >> >> >> Then, what Eliyahu wrote should serve you a perfect solution. > > > Although this can become a flame-war :) > > Source: > https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/ > > ==Begin quote == > > But there are more reasons why this is a bad idea and one of the most > important reason has to do with a bit of the (Linux) way of handling TCP/IP > ports. When you are logged onto a system as a non-root user (anyone not > being uid 0), you cannot create a listing TCP or UDP port below 1024. This > is because port numbers below 1024 are so-called privileged ports and can > only be opened by root or processes that are running as root. So for > instance, when your webserver (apache, nginx etc) will start, it will do so > as the privileged root user in order to open up a listening connection to > port 80 (the port that by default will be used for HTTP traffic). Now, as > soon as the port is opened and everything that needs to be done as root is > done, the webserver will fall back to a non-privileged user (either the > www-data, apache, or nobody user). From that point, when something bad is > happening, it is only limited to the rights that that user has. > > Now, back to SSH: when we start SSH on port 22, we know for a fact that this > is done by root or a root-process since no other user could possibly open > that port. But what happens when we move SSH to port ? This port can be > opened without a privileged account, which means I can write a simple script > that listens to port and mimics SSH in order to capture your passwords. > And this can easily be done with simple tools commonly available on every > linux system/server. So running SSH on a non-privileged port makes it > potentially LESS secure, not MORE. You have no way of knowing if you are > talking to the real SSH server or not. This reason, and this reason alone > makes it that you should NEVER EVER use a non-privileged port for running > your SSH server. > > ==End quote== > > Reading the whole page is recommended. > > Though, some of Joshua Thijssen's points can be argued against (not by > myself, but I'm sure some folks can find some caveats in his article). I > tend to agree with what he points out. > > I do acknowledge that SBO (security by...) divides quite a bit sysadmins > apart. Some live by it, and some, well, ridicule it, and for them, seeing > another sysadmin use such method is a tell sign of anachronism. The beauty > is that we can all choose, and what is important is being informed. > > -- > Guy Gold > > ___ > Linux-il mailing list > Linux-il@cs.huji.ac.il > http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
and i forgot: what if my router redirect any port to my computer's port 22 ? this can be a non priviledge port if only i have access to the router settings ... On Wed, Jul 23, 2014 at 11:44 AM, Erez D wrote: > 1. only refer to non-privileged ports > 2. btw, ssh will warn you if the server cert changes, so if someone > takes the port for it's ssh server, you will know > > i'll still stick with a non standard privileged port. > > On Tue, Jul 22, 2014 at 3:47 PM, Guy Gold wrote: >> >> >> On 22 July 2014 00:52, Guy Gold wrote: >>> >>> Hi Erez, >>> >>> On Mon, Jul 21, 2014 at 4:18 AM, Erez D wrote: it is not even a dynamic ip, it is a private ip behind a dynamic one >>> >>> >>> Then, what Eliyahu wrote should serve you a perfect solution. >> >> >> Although this can become a flame-war :) >> >> Source: >> https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/ >> >> ==Begin quote == >> >> But there are more reasons why this is a bad idea and one of the most >> important reason has to do with a bit of the (Linux) way of handling TCP/IP >> ports. When you are logged onto a system as a non-root user (anyone not >> being uid 0), you cannot create a listing TCP or UDP port below 1024. This >> is because port numbers below 1024 are so-called privileged ports and can >> only be opened by root or processes that are running as root. So for >> instance, when your webserver (apache, nginx etc) will start, it will do so >> as the privileged root user in order to open up a listening connection to >> port 80 (the port that by default will be used for HTTP traffic). Now, as >> soon as the port is opened and everything that needs to be done as root is >> done, the webserver will fall back to a non-privileged user (either the >> www-data, apache, or nobody user). From that point, when something bad is >> happening, it is only limited to the rights that that user has. >> >> Now, back to SSH: when we start SSH on port 22, we know for a fact that this >> is done by root or a root-process since no other user could possibly open >> that port. But what happens when we move SSH to port ? This port can be >> opened without a privileged account, which means I can write a simple script >> that listens to port and mimics SSH in order to capture your passwords. >> And this can easily be done with simple tools commonly available on every >> linux system/server. So running SSH on a non-privileged port makes it >> potentially LESS secure, not MORE. You have no way of knowing if you are >> talking to the real SSH server or not. This reason, and this reason alone >> makes it that you should NEVER EVER use a non-privileged port for running >> your SSH server. >> >> ==End quote== >> >> Reading the whole page is recommended. >> >> Though, some of Joshua Thijssen's points can be argued against (not by >> myself, but I'm sure some folks can find some caveats in his article). I >> tend to agree with what he points out. >> >> I do acknowledge that SBO (security by...) divides quite a bit sysadmins >> apart. Some live by it, and some, well, ridicule it, and for them, seeing >> another sysadmin use such method is a tell sign of anachronism. The beauty >> is that we can all choose, and what is important is being informed. >> >> -- >> Guy Gold >> >> ___ >> Linux-il mailing list >> Linux-il@cs.huji.ac.il >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il >> ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
On 2014-07-22 20:35, Oleg Goldshmidt wrote: I am not arguing for or against using a non-standard port. Just pointing out that "non-standard" and "non-privileged" are two different things. Yep, but now you are back to scanning only 1024 ports, instead of 65536, is there any gain? On a PC/SOHO setup -- where most data is "held by the user anyway"-- user & root are "closer", so you probably gain security by a random high port. In a large network maybe not. (setups in between have some hard thinking to do, and/or test with a honey-pot what is mostly scanned :-) You can always port foreword a high non-privileged port on a router to 22 on the server. see: http://stackoverflow.com/questions/10182798/why-are-ports-below-1024-privileged/ ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
