On 22/07/12 16:09, Henrique de Moraes Holschuh wrote: > On Sun, 22 Jul 2012, Brian wrote: >> The ssh and webserver daemons are available on the network. Presumably >> this is what you want. Their security will depend on how you have >> configured them. Debian sshd can be run safely with the default install. > Sort of. The recommended "almost worry-free" configuration for SSH nowadays > is to have it refuse any sort of password-based autentication, and accept > only key-based authentication (and token-based if you use kerberos or MS > AD), *restricted* to the set of users that indeed are allowed to ssh to the > box[1] and no root logins. Depending on the situation, you also have to > restrict port forwarding and agents forwarding even for authorized users. > > Unfortunately, that's not something easy to automate in the general case, > and any compromise we take will generate a lot of complains, so we ship a > *reasonably safe* default... but last I checked, they're safe only if you > don't ever set any easily brute-forceable passwords, etc. > > If you never need to SSH into the box, remove openssh-server. > > [1] AllowUsers foo bar. And root must never be one of them :p > Beware you must be sure to keep an access to the machine before applying the restrictions, ie. if you're dealing with a rented server (be it physical or virtual) in a datacenter far away...
This access might be through an out of band management connection (KVM, Idrac, ILO, or something else), but you'd better check it works before restraining ssh access. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/500c11ef.2050...@rail.eu.org
