[techtalk] packet filtering and ssh

[Amos Hayes]

On Mon, 22 Nov 1999, Jennifer Tippens wrote:

> Figured it out.
> 
> The line should be:
> $IPCHAINS -A input -i $E_IF -p tcp -s 0/0 1023 -d (my gateway's
> ipnumber)/32 22 -j ACCEPT

That won't work in all cases. Here are a couple things to note:

ssh (the client), when suid root (as is the case with the default unix
install or in some windows implementations) will connect out with the
first available port less than 1024. This has to do with the ability for
ssh to replace the r services. If you don't need it to do that, you should
remove the suid bit on the ssh client. You don't need the client to be
suid root to ssh, scp or to do any port forwarding.

If you remove the suid bit (least privilege - good idea) then ssh will 
connect out using a port above 1023. In many networks that are firewalled
off (and where sysadmins are cautious) the suid bit is removed and ssh
behaves this way. So if you want to be able to ssh from anywhere to your
box, you probably don't want to limit the source port to 1023.

Lastly, each simultaneous ssh client connection out uses a new source
port. Specifying a source port of 1023 will limit you to one ssh
connection at a time from a given box and only if the client is suid (or 
behaves that way).

What I would (and do) do is leave out the bit about source ports/ips in
the ruleset. I can't tell you exactly what that would be using ipchains (I
use OpenBSD with ipfilter) but there has been a suggestion that leaving
out the -s stuff altogether would do the trick. If you want to limit ssh
inbound from certain ip addresses, you are probably better off specifying
them in sshd_config anyway.

Hope all that info makes sense and is useful to you (and maybe others).

--
Amos Hayes
ahayes at polkaroo.net


************
techtalk at linuxchix.org   http://www.linuxchix.org