Edafe Knabe wrote:

> Thanks for all your replies.
>
> From time to time I need to be able to connect to my server at home, as
> well as administer a couple of machines remotely. I use ssh, because it
> seems the most appropriate tool for this purpose.
>
> The exclusive use of public key authentication hopefully eliminates the
> risk of brute-force attacks.
>
> Because I mostly connect over the internet from nodes obtaining their
> respective IP addresses dynamically, I didn't think that using tcpwrappers
> would be practical.

Regrettably that is true.

>Unfortunately, my firewall does not allow the control
> of port access by connecting host, either (in truth, I didn't even know
> such functionality was available).
>

Since you have such a wide range of connecting hosts the point is moot, but
it is certainly available in my preferred platform for firewalls - OpenBSD.
Anyone who can adminster Slack should be able to cope with that (those who
insist on using tools like YaST are likely to have significant difficulty).

Personally I find the syntax of iptables so complex that I spend more time
trying to get the firewall to do what I want than I do deciding what I want
it to do, which seems decidedly arse-about-face.

> Even though there are not many users to administer, using AllowGroups ssh
> instead of AllowUsers username in sshd_config makes sense.
>
> I increased the LoginGraceTime to 20.
>
> As far as direct attacks to exploit the server software are concerned, my
> hope is that by now OpenSSH will have few vulnerabilities left.

The experience of a large number of professional software testers and
quality people is that the greater the number of bugs that have been found,
the greater is the risk of there being more still to find. This is why I
object so much to sendmail, WU-FTPD and UW-IMAP.

There are alternatives to OpnSSH (although few if any distros ship them),
you could try looking at lsh (http://www.lysator.liu.se/~nisse/lsh/) for a
start.

>
> Are there any disadvantages to using a random port instead of port 22?
>
Only that you will have to specify the target port each time you try to
connect. OTOH it doesn't gain an awful lot either.

On Sat, 22 Jan 2005 13:36:53 GMT, Edafe Knabe <no@mail.com> wrote:
> As far as direct attacks to exploit the server software are concerned, my
> hope is that by now OpenSSH will have few vulnerabilities left.
> Furthermore, I regularly use slapt-get to obtain what updates are
> available...

You might also want to keep an eye on the SlackSec & GUS web sites.
Due to Pat's illness, he hasn't been as quick with security updates as
he usually is.

> Are there any disadvantages to using a random port instead of port 22?

As long as you know what port it's on and you don't mind specifying it
in the client software, there's no disadvantage. There's not really
any advantage, though, either, as it's fairly easy to port-scan a
machine and find out which ports have SSH daemons listening on them.


--
Simon <simon@no-dns-yet.org.uk> **** GPG: F4A23C69
"We demand rigidly defined areas of doubt and uncertainty."
- Douglas Adams

On Sat, 22 Jan 2005 14:56:06 +0000, Keith Matthews wrote:
> Edafe Knabe wrote:

>> Because I mostly connect over the internet from nodes obtaining their
>> respective IP addresses dynamically, I didn't think that using tcpwrappers
>> would be practical.
>
> Regrettably that is true.

Well, if you have to be able to connect from _any_ machine (in the world)
then indeed. However for instance *i* only need to be able and connect
from .nl and .be TLDs so:

ssh : .nl, .be

Makes it a little harder to connect from say China or wherever...
But if you run an identd (accessable from the server) on all clients:

ssh : KNOWN@.nl, KNOWN@.be

Would probe for the connecting user to be known on that host. Which,
altough easily spoofable, would be another hurdle for any attacker (worm?)
to overcome.

>> Are there any disadvantages to using a random port instead of port 22?
>>
> Only that you will have to specify the target port each time you try to
> connect.

Unless you configure the client to try that port per default too, ie:

echo "Port 3456" >>$HOME/.ssh/config

> OTOH it doesn't gain an awful lot either.

This is indeed true for someone/something aiming at _your_ specific box.
However them automated attacks just try to connect to a bunch of hosts
with some frontend to libssh (default port 22).

--
-Menno.

On Sun, 23 Jan 2005 18:27:05 GMT, Menno Duursma <pan@desktop.lan> wrote:

>On Sat, 22 Jan 2005 14:56:06 +0000, Keith Matthews wrote:
>> Edafe Knabe wrote:
>>> Are there any disadvantages to using a random port instead of port 22?
>>>
>> Only that you will have to specify the target port each time you try to
>> connect.
>

Perhaps try 'port knocking' technique for opening the ssh server?

Cheers,
Grant.