On Dec 29, 2009, at 10:10 , Brian W. wrote:

> On 12/29/2009 3:45 AM, Edwin Groothuis wrote:
>> mpt to pass a Turing test or something.
>>   On all systems which need to be accessible from the public Internet:
>> Run sshd on port 22 and port 8022. Block incoming traffic on port
>> 22 on your firewall.
>> 
>> Everybody coming from the outside world needs to know it is running
>> on port 8022. Everybody coming from the inside world has access as
>> normal.
>> 
>> Edwin
>>   
> I seem to recall on one of the openbsd lists someone speaking of risks of 
> running sshd or other services on high numbered ports, presumably because a 
> non root user cannot bind ports up to 1024.

        On a multi-user machine, where you want to keep students or others from 
spoofing on machines on which they have logins but which you manage (i.e., they 
don't have root or sudo), this makes sense--ON THE SERVER SIDE.  The connecting 
client's port is going to be above 1024 anyway, and the client doesn't really 
care on which port the server is running.

        In this day and age, when anyone, black hat or white, can stand up 
their own *ix box and run whatever they want on whatever port, the notion of 
only connecting to "privileged ports" as a way of protecting yourself (e.g., 
from password sniffing or whatever) is rather quaint and ineffective.

-- 
Chris BeHanna
ch...@behanna.org_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Reply via email to