How can I secure a Debian installation?

Hello list, I recently came across a posting by an individual who got his Debian machine compromised due to a number of security problems, one of which was the default installation and running of sshd with "PermitRootLogin = Yes". in /etc/ssh/sshd_config. So I checked the Debian installation tha

Re: How can I secure a Debian installation?

2014-01-28 Jon Danniken > Hello list, > > I recently came across a posting by an individual who got his > Debian machine compromised due to a number of security problems, one of > which was the default installation and running of sshd with > "PermitRootLogin = > Yes". in /etc/ssh/sshd_config. >

Re: How can I secure a Debian installation?

On 28/01/14 15:24, Jon Danniken wrote: > Hello list, > > I recently came across a posting by an individual who got his > Debian machine compromised due to a number of security problems, one of > which was the default installation and running of sshd with > "PermitRootLogin = > Yes". in /etc/ssh/s

Re: How can I secure a Debian installation?

On 01/27/2014 09:41 PM, Scott Ferguson wrote: > > Keep updated, subscribe to the security list, read and follow the fine > manual:- > https://www.debian.org/doc/manuals/securing-debian-howto/ Thanks Scott, that's just what I was looking for. Jon -- To UNSUBSCRIBE, email to debian-user-requ...@

Re: How can I secure a Debian installation?

On Lu, 27 ian 14, 20:24:42, Jon Danniken wrote: > Hello list, > > I recently came across a posting by an individual who got his > Debian machine compromised due to a number of security problems, one of > which was the default installation and running of sshd with > "PermitRootLogin = > Yes". in /

Re: How can I secure a Debian installation?

On Monday 27 January 2014 20:24:42 Jon Danniken wrote: > Hello list, > > I recently came across a posting by an individual who got his > Debian machine compromised due to a number of security problems, one of > which was the default installation and running of sshd with > "PermitRootLogin = > Yes

Re: How can I secure a Debian installation?

On Mon, 27 Jan 2014 23:51:01 -0800 Jon Danniken wrote: > On 01/27/2014 09:41 PM, Scott Ferguson wrote: > > > > Keep updated, subscribe to the security list, read and follow the > > fine manual:- > > https://www.debian.org/doc/manuals/securing-debian-howto/ > > Thanks Scott, that's just what I wa

Re: How can I secure a Debian installation?

On Tue, Jan 28, 2014 at 12:41 AM, Scott Ferguson < scott.ferguson.debian.u...@gmail.com> wrote: > > > Keep updated, subscribe to the security list, read and follow the fine > manual:- > https://www.debian.org/doc/manuals/securing-debian-howto/ > > Another suggestion I would make would be to regula

Re: How can I secure a Debian installation?

On Mon 27 Jan 2014 at 20:24:42 -0800, Jon Danniken wrote: > I recently came across a posting by an individual who got his > Debian machine compromised due to a number of security problems, one of > which was the default installation and running of sshd with > "PermitRootLogin = > Yes". in /etc/ss

Re: How can I secure a Debian installation?

On Tue 28 Jan 2014 at 09:46:43 +, Joe wrote: > My recommendation would be to run sshd on a high port number. Before the > usual chorus jumps in, I know *that* *does* *not* *improve* *security*, Fine; we are in agreement. > but it certainly gives you cleaner log files. Though over a number of

Re: How can I secure a Debian installation?

On Tue, 28 Jan 2014 11:58:22 + Brian wrote: > On Tue 28 Jan 2014 at 09:46:43 +, Joe wrote: > > > My recommendation would be to run sshd on a high port number. > > Before the usual chorus jumps in, I know *that* *does* *not* > > *improve* *security*, > > Fine; we are in agreement. > > >

Re: How can I secure a Debian installation?

2014-01-28 Joe > On Mon, 27 Jan 2014 23:51:01 -0800 > Jon Danniken wrote: > > > On 01/27/2014 09:41 PM, Scott Ferguson wrote: > > > > > > Keep updated, subscribe to the security list, read and follow the > > > fine manual:- > > > https://www.debian.org/doc/manuals/securing-debian-howto/ > > > >

Re: How can I secure a Debian installation?

On Tue 28 Jan 2014 at 14:18:48 +, Joe wrote: > On Tue, 28 Jan 2014 11:58:22 + > Brian wrote: > > > The conclusion appears to contradict the first statement. I might not be have been very clear; the "first statement" I was referring to is > I know *that* *does* *not* *improve* *secur

Re: How can I secure a Debian installation?

On Tue 28 Jan 2014 at 15:31:25 +0100, Raffaele Morelli wrote: > 2014-01-28 Joe > > > And so was Raffaele's reply. If you will be using ssh from outside, set > > up keys and disable the use of passwords. Use a good password or phrase > > on the private key, and keep it on a USB stick away from th

Re: How can I secure a Debian installation?

On 01/28/2014 01:53 AM, Brad Alexander wrote: > On Tue, Jan 28, 2014 at 12:41 AM, Scott Ferguson < > scott.ferguson.debian.u...@gmail.com> wrote: > >> >> >> Keep updated, subscribe to the security list, read and follow the fine >> manual:- >> https://www.debian.org/doc/manuals/securing-debian-howt

Re: How can I secure a Debian installation?

On 01/28/2014 03:57 AM, Brian wrote: > On Mon 27 Jan 2014 at 20:24:42 -0800, Jon Danniken wrote: > >> I recently came across a posting by an individual who got his >> Debian machine compromised due to a number of security problems, one of >> which was the default installation and running of sshd w

Re: How can I secure a Debian installation?

On Tue 28 Jan 2014 at 11:40:04 -0800, Jon Danniken wrote: > Thanks Brian, I ended up removing openssh-server, as it was not > something I needed; it was automatically installed and set up to run as > a "feature" of the live CD I used to install Debian with (installed as > part of the "live-tools"

Re: How can I secure a Debian installation?

On 01/28/2014 12:37 PM, Brian wrote: > On Tue 28 Jan 2014 at 11:40:04 -0800, Jon Danniken wrote: > >> Thanks Brian, I ended up removing openssh-server, as it was not >> something I needed; it was automatically installed and set up to run as >> a "feature" of the live CD I used to install Debian wi

Re: How can I secure a Debian installation?

On 29/01/14 01:18, Joe wrote: > On Tue, 28 Jan 2014 11:58:22 + > Brian wrote: > >> On Tue 28 Jan 2014 at 09:46:43 +, Joe wrote: >> >> >> > > Good passwords, no. But most of the posts I've seen about hacked Linux > installations where the point of entry was known seem to blame ssh, > p

Re: How can I secure a Debian installation?

2014-01-28 Brian > On Tue 28 Jan 2014 at 15:31:25 +0100, Raffaele Morelli wrote: > > > 2014-01-28 Joe > > > > > And so was Raffaele's reply. If you will be using ssh from outside, set > > > up keys and disable the use of passwords. Use a good password or phrase > > > on the private key, and keep

Re: How can I secure a Debian installation?

On Tue, 28 Jan 2014 18:42:34 + Brian wrote: > The AllowUsers directive is a legitimate way to restrict ssh logins to > certain users. However, I do not see what (ssh keys + AllowUsers) > brings to the party that (password + AllowUsers) doesn't. A key (if kept secret) is even harder to "guess

Re: How can I secure a Debian installation?

On Thu 30 Jan 2014 at 18:53:11 +0100, Denis Witt wrote: > On Tue, 28 Jan 2014 18:42:34 + > Brian wrote: > > > The AllowUsers directive is a legitimate way to restrict ssh logins to > > certain users. However, I do not see what (ssh keys + AllowUsers) > > brings to the party that (password +

Re: How can I secure a Debian installation?

On Thu, Jan 30, 2014 at 06:53:11PM +0100, Denis Witt wrote: password, also it's not "ssh keys + AllowUsers" it's (or should be) "ssh key + key pass-phrase + AllowUsers". As an administrator you can’t control the key pass-phrase. If a user creates a key without it you can’t stop him from using

Re: How can I secure a Debian installation?

2014-01-30 Brian : > On Thu 30 Jan 2014 at 18:53:11 +0100, Denis Witt wrote: > > > On Tue, 28 Jan 2014 18:42:34 + > > Brian wrote: > > > > > The AllowUsers directive is a legitimate way to restrict ssh logins to > > > certain users. However, I do not see what (ssh keys + AllowUsers) > > > bri

Re: How can I secure a Debian installation?

On 31/01/14 15:29, Raffaele Morelli wrote: > > > > 2014-01-30 Brian mailto:a...@cityscape.co.uk>>: > > On Thu 30 Jan 2014 at 18:53:11 +0100, Denis Witt wrote: > > > On Tue, 28 Jan 2014 18:42:34 + > > Brian mailto:a...@cityscape.co.uk>> wrote: > > > > > The AllowUsers di

Re: How can I secure a Debian installation?

On Tue, Jan 28, 2014 at 08:37:57PM +, Brian wrote: > On Tue 28 Jan 2014 at 11:40:04 -0800, Jon Danniken wrote: > > > Thanks Brian, I ended up removing openssh-server, as it was not > > something I needed; it was automatically installed and set up to run as > > a "feature" of the live CD I used

Re: How can I secure a Debian installation?

On 31/01/14 17:17, Артур Истомин wrote: > On Tue, Jan 28, 2014 at 08:37:57PM +, Brian wrote: >> On Tue 28 Jan 2014 at 11:40:04 -0800, Jon Danniken wrote: >> >> >> But ssh keys are great for some situations. The problem is their >> advocates never describe what the situations are and it is too

Re: How can I secure a Debian installation?

2014-01-31 Scott Ferguson : > On 31/01/14 15:29, Raffaele Morelli wrote: > > > > > > > > 2014-01-30 Brian mailto:a...@cityscape.co.uk>>: > > > > On Thu 30 Jan 2014 at 18:53:11 +0100, Denis Witt wrote: > > > > > On Tue, 28 Jan 2014 18:42:34 + > > > Brian mailto:a...@cityscape.co.uk>

Re: How can I secure a Debian installation?

On 31/01/14 17:56, Raffaele Morelli wrote: > 2014-01-31 Scott Ferguson >: > > On 31/01/14 15:29, Raffaele Morelli wrote: > > > > > > > > 2014-01-30 Brian

Re: How can I secure a Debian installation?

2014-01-31 Scott Ferguson : > On 31/01/14 17:56, Raffaele Morelli wrote: > > 2014-01-31 Scott Ferguson > >: > > > > On 31/01/14 15:29, Raffaele Morelli wrote: > > > > > > > > > > > > 2014-01-30 Brian >

Re: How can I secure a Debian installation?

On 31/01/14 18:52, Raffaele Morelli wrote: > 2014-01-31 Scott Ferguson >: > > > > Security requires knowledge, you made no such discovery. Too much emotional content. :) Flamefests do no one any good. If you need a public forum for your views you

Re: How can I secure a Debian installation?

2014-01-31 Scott Ferguson : > On 31/01/14 18:52, Raffaele Morelli wrote: > > 2014-01-31 Scott Ferguson > >: > > > > > > > > > Security requires knowledge, you made no such discovery. > > Too much emotional content. :) > Flamefests do no one any good.

Re: How can I secure a Debian installation?

On 31.01.2014 08:17, Артур Истомин wrote: > Also, "SSH: passwords or keys?" - http://lwn.net/Articles/369703/ It's no longer an XOR choice now that Wheezy has OpenSSH-server 6.4 in the backports repository. With 6.2 and later it is possible to require both a key and a password. See the configura

Re: How can I secure a Debian installation?

On 1/30/2014 11:29 PM, Raffaele Morelli wrote: 2014-01-30 Brian mailto:a...@cityscape.co.uk>>: On Thu 30 Jan 2014 at 18:53:11 +0100, Denis Witt wrote: > On Tue, 28 Jan 2014 18:42:34 + > Brian mailto:a...@cityscape.co.uk>> wrote: > > > The AllowUsers directive is a

Re: How can I secure a Debian installation?

On 1/31/2014 1:17 AM, Артур Истомин wrote: On Tue, Jan 28, 2014 at 08:37:57PM +, Brian wrote: On Tue 28 Jan 2014 at 11:40:04 -0800, Jon Danniken wrote: Thanks Brian, I ended up removing openssh-server, as it was not something I needed; it was automatically installed and set up to run as a

Re: How can I secure a Debian installation?

On Fri 31 Jan 2014 at 07:56:29 +0100, Raffaele Morelli wrote: > Brian argued that a private key+allowusers does not improve security with > respect to passwords+allowusers. I did :). > I use private key authentication with a 21 characters passphrase which is > at minimum more secure than a 21 ch

Re: How can I secure a Debian installation?

I have to agree with you here, Raffaele. While it's nice to talk about users and 20 character random keys, the fact of the matter is, they aren't used by the vast majority of users. In many cases, even those who *should* know better don't do it. Sure, you could require a 20 character rando

Re: How can I secure a Debian installation?

On 1/31/2014 3:58 PM, Alex Mestiashvili wrote: I have to agree with you here, Raffaele. While it's nice to talk about users and 20 character random keys, the fact of the matter is, they aren't used by the vast majority of users. In many cases, even those who *should* know better don't do it.

Re: How can I secure a Debian installation?

2014-01-31 Brian : > On Fri 31 Jan 2014 at 07:56:29 +0100, Raffaele Morelli wrote: > > > Brian argued that a private key+allowusers does not improve security with > > respect to passwords+allowusers. > > I did :). > > > I use private key authentication with a 21 characters passphrase which is > >

Re: How can I secure a Debian installation?

On Vi, 31 ian 14, 17:19:08, Scott Ferguson wrote: > > It's not only common (in some industry sectors 12 *random* characters > regularly changed and never repeated is mandated), it's good security. > Despite what some will advise entropy is the measure of exhaustion - > resulting from *brute* force

Re: How can I secure a Debian installation?

On Sat, 2014-02-01 at 11:21 +0200, Andrei POPESCU wrote: > On Vi, 31 ian 14, 17:19:08, Scott Ferguson wrote: > > > > It's not only common (in some industry sectors 12 *random* characters > > regularly changed and never repeated is mandated), it's good security. > > Despite what some will advise en

Re: How can I secure a Debian installation?

On Sat, Feb 01, 2014 at 12:00:30 -0200, André Nunes Batista wrote: > > Isn't it the case where the randomness of the key/password composes the > overall quality of the crypto substitutions in such a way that 4096bit > keys would necessarily provide better protection against cryptanalysis > when com

Re: How can I secure a Debian installation?

On 2/1/2014 9:41 AM, Florian Kulzer wrote: On Sat, Feb 01, 2014 at 12:00:30 -0200, André Nunes Batista wrote: Isn't it the case where the randomness of the key/password composes the overall quality of the crypto substitutions in such a way that 4096bit keys would necessarily provide better prot

Re: How can I secure a Debian installation?

On 2/1/2014 10:21 AM, Jerry Stuckle wrote: On 2/1/2014 9:41 AM, Florian Kulzer wrote: On Sat, Feb 01, 2014 at 12:00:30 -0200, André Nunes Batista wrote: Isn't it the case where the randomness of the key/password composes the overall quality of the crypto substitutions in such a way that 4096bi

Re: How can I secure a Debian installation?

On Sat 01 Feb 2014 at 08:58:52 +0100, Raffaele Morelli wrote: > Here we go. To be more accurate, it's not that password login is less > secure, it's private key + passphrase that *adds* security because of its > nature. > That way, even a user who picks a weak passphrase has somewhat an increased

Re: How can I secure a Debian installation?

On Sat 01 Feb 2014 at 11:18:17 -0500, Jerry Stuckle wrote: > On 2/1/2014 10:21 AM, Jerry Stuckle wrote: > >On 2/1/2014 9:41 AM, Florian Kulzer wrote: > >>On Sat, Feb 01, 2014 at 12:00:30 -0200, André Nunes Batista wrote: > >>> > >>>Isn't it the case where the randomness of the key/password compose