| eric@lucii.org on Wed, 3 Apr 2002 12:15:35 -0500 |
|
Thanks Neighbor! (I'm on Dartmouth Ave. in Swarthmore) On Wed, Apr 03, 2002 at 11:47:29AM -0500, gabriel rosenkoetter wrote: > On Wed, Apr 03, 2002 at 11:41:37AM -0500, eric@lucii.org wrote: > > So, I tell e-smith to forward port NNNN to port 22 (for ssh) > > on the server. So far so good. > > That's all well and good, but that only gets you the listener, not > the forked off sshd that actually communicates with the client on a > higer port number. Stop blocking ports >1024. ok, I have heard of this before. If I open ports >1024 do we have to forward all those ports to the server in question? I guess yes. If we do that, does that make our server more vulnerable to attack and or compromise? I guess yes... although it's a SuSE 7.3 pro system and we try to keep it updated. That is, I guess, the risk we take. I'm also guessing that the same process of using higher number ports is true for mysql and http as well? > (No, you can't write a rule in your firewall to map these ports, the > decision is made on the fly by the listening sshd. You'd have to > teach sshd how to talk to the firewall and update its port > forwarding table if you wanted only the ports necessary open on the > fly. That's non-trivial.) Whoa yeah! No kidding! Sounds like a good open-source project for the paranoid :-D Our connection is via Comcast cable so we are justifiably paranoid.... hummmmm. Is there a "range" that sshd likes? For example, I know that the game "Age of Empires" uses ports 47634 and ports 2300-2400. > Wouldn't help me, since I'm not familiar with the details of the > firewall, but maybe the general what-to-do advice above will help > you. Yes. Thanks. > -- > gabriel rosenkoetter > gr@eclipsed.net Eric -- # Eric Allan Lucas # "Oh, I have slipped the surly bond of earth # And danced the skies on laughter-silvered wings.. # -- John Gillespie Magee Jr. Attachment:
pgpCgogA8hjme.pgp
|
|