On Sun, 22 Jul 2012, Brian wrote: > The ssh and webserver daemons are available on the network. Presumably > this is what you want. Their security will depend on how you have > configured them. Debian sshd can be run safely with the default install.
Sort of. The recommended "almost worry-free" configuration for SSH nowadays is to have it refuse any sort of password-based autentication, and accept only key-based authentication (and token-based if you use kerberos or MS AD), *restricted* to the set of users that indeed are allowed to ssh to the box[1] and no root logins. Depending on the situation, you also have to restrict port forwarding and agents forwarding even for authorized users. Unfortunately, that's not something easy to automate in the general case, and any compromise we take will generate a lot of complains, so we ship a *reasonably safe* default... but last I checked, they're safe only if you don't ever set any easily brute-forceable passwords, etc. If you never need to SSH into the box, remove openssh-server. [1] AllowUsers foo bar. And root must never be one of them :p -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120722140926.gc6...@khazad-dum.debian.net
