can't run sshd on 23456 in Fedora 19
Daniel J Walsh
dwalsh at redhat.com
Mon Jul 8 17:31:01 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/08/2013 04:02 AM, James Hogarth wrote:
>
>
>
> Ah, SELinux again... Kinda' defeats the purpose these days, doesn't it?
>
>
>
> No it's doing exactly what it should be doing ... in a 'normal' usercase
> there's no need for SSH to be on a port other than TCP/22 and this prevents
> it ... if you need it on another port it's trivial to add on the new port
> with semanage to the rules...
>
> But it's not a good idea to move SSH to a port over 1024 since it leaves
> you in a potentially vulnerable state in terms of attack surface. This is a
> key networking daemon that all credentials, data and commands goes over -
> as such it's ripe for use in a man in the middle attack to gain more
> information about a system. Only root can bind below 1024 so if SSH (or
> indeed other services too) have bound to a low port then it must have
> started life as a root owned process... an unprivileged user cannot bind to
> these ports at all.
>
> If you configure SSH to bind to a port over 1024 then an attacker who
> achieves unprivileged access to the box (either an attack on a shell
> account or via another exploitable service such as httpd/php/etc) can use
> methods to force the process to crash and then bind their own process to
> that port to man in the middle login details, session information (such as
> root password) and so on ...
>
> If you want SSH on a different port the better options are to pick a port
> below 1024 (and add that port to the sshd_t context via semanage) or to
> bind SSH to 22 and to use iptables to do a redirection internally from the
> high level port you want to the 22 that it is really listening on ... that
> way an unprivileged process/user cannot impersonate your SSH daemon and
> externally it's still visible on whichever port you prefer.
>
>
>
If you read the sshd_config file, it states.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlHa91UACgkQrlYvE4MpobPZMwCgvdYXM/J30sovEnvxf5uOUj+s
jlkAn1wtuF3/MTgmMNxSF6xzJK99dY3N
=LMIf
-----END PGP SIGNATURE-----
More information about the users
mailing list