On Fri, 2010-11-19 at 17:05 +0100, Soren Hansen wrote: > On 18-11-2010 16:49, Marc Deslauriers wrote: > > I want the person installing the server to actually make the choice > > to install ssh in order to realize that doing so may have > > consequences. ie: "Oh wait, If I install ssh now, I should unplug the > > server from the network and configure ssh properly before hooking it > > back up..." > > What does "configure ssh properly" usually entail? Are these some > defaults we can change or offer as follow-on questions if people answer > "Yes" to this dialog? (Yes, I fully realise that will very likely result > in a net loss in usability on account of more questions asked, just > trying to get something constructive out of this thread) >
I think this highly depends on the environment the server is set up in, and is beyond the scope of the installer, but typically one or more of the following: - Limit ssh to a specific network interface - Disable password authentication and copy over keys - Configure AllowUsers and/or AllowGroups - Disable DebianBanner - Configure a firewall to limit connections from specific IPs and enable rate limiting - Configure tcpwrappers to limit connections from specific IPs - Install fail2ban or denyhosts - Add server to corporate IPS ssh-monitored host group - etc. SSH password brute-forcing has been on the SANS Top 20 vulnerability list for the past 10 years or so. Marc. -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel