Re: sshd port config and security
On Fri, Apr 06, 2001 at 11:52:29PM -0500, Vinh Truong wrote:
> * Jean-Marc Boursot <jmb@ankeo.org> [010406 21:09]:
> > They allow telnet and not ssh? Nice!
>
> yeah, afraid of the port-forwarding capabilities in ssh. i can see
> their point but i'm just as leery of clear-text transmission. oh, well.
>
Port forwarding works in ssh no matter what door you run it on. For instance:
ssh -p 666
That's what I do when upgrading a remote machine's ssh server.
> > So you can turn it off.
>
> should of thought of that myself. :)
>
Better yet, remove it.
> > What about portmap? You can turn it off either and filter port 25 if
> > you have a mail daemon running. In fact, you can drop all external tcp
> > connections to ports below 1024 (except 23), and drop all SYN
> > connections to ports above 1024. You can also filter ICMP. Check
> > gShield (http://linuxmafia.org/~godot/gshield.html): it has very
> > restrictive rules.
>
> i've already disabled portmap and mail demon too. i guess i should look
> into setting up a firewall on my debian box. i already have iptables
> installed. just need to recompile my kernel to support it. i just keep
> thinking that it's overkill to have my hw firewall and then another
> firewall set up in software on my box.
>
It is not. But if in doubt thrash you hw firewall and keep the iptables one :)
> thanks for the advice,
> vinh
>
>
--
Jose Celestino <japc@co.sapo.pt>
--------------------------------------------------------------
"Every morning I read the obituaries; if my name's not there,
I go to work."
Reply to: