| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: lists at ktabic.co.uk (ktabic) Subject: Re: Re: open telnet port On Thu, 2004-09-09 at 09:41 -0400, Andrew Haninger wrote: > > How about, as a service to enable as you are updating SSH remotely from > > the other side of the country to fix the most recent problem security > > problem and need a backup system to get into the server in the event > > that something goes wrong? > Maybe it would work as well, to start a ssh daemon on a high port, > login on that high port, update the current sshd, start it up on port > 22, logout of the high port, login on port 22, and kill the high-port > sshd. > > So, > > [foo@....com ~] sshd -p 6000 > [bar@....com ~] ssh foo@....com -p 6000 > [foo@....com ~] [kill sshd running on port 22] > [foo@....com ~] [make and install new sshd] > [foo@....com ~] sshd > [bar@....com ~] ssh foo@....com > [kill sshd running on port 6000] > > This would nearly eliminate any danger due to your insecure version of > sshd since it would be running on a non-standard port for a brief > period of time, and you would not be passing any passwords in the > clear. So the solution to not run a backup telnet server for updating SSH is to run a second, known insecure version of sshd on a different port, presuming of course, that you are allowed to run said sshd on said high port in the first place. Which results in something that sounds a bit like security by obscurity, which is bad. You end up presuming that potential attacker cannot do his thing because you are using ssh on an oddball port. Oh, and not everyone is root for all parts of the network they may be administrating.
Powered by blists - more mailing lists