On Friday, November 19, 2010 12:40:17 pm Marc Deslauriers wrote: > On Fri, 2010-11-19 at 17:05 +0100, Soren Hansen wrote: > > On 18-11-2010 16:49, Marc Deslauriers wrote: > > > I want the person installing the server to actually make the choice > > > to install ssh in order to realize that doing so may have > > > consequences. ie: "Oh wait, If I install ssh now, I should unplug the > > > server from the network and configure ssh properly before hooking it > > > back up..." > > > > What does "configure ssh properly" usually entail? Are these some > > defaults we can change or offer as follow-on questions if people answer > > "Yes" to this dialog? (Yes, I fully realise that will very likely result > > in a net loss in usability on account of more questions asked, just > > trying to get something constructive out of this thread) > > I think this highly depends on the environment the server is set up in, > and is beyond the scope of the installer, but typically one or more of > the following: > > - Limit ssh to a specific network interface > - Disable password authentication and copy over keys > - Configure AllowUsers and/or AllowGroups > - Disable DebianBanner > - Configure a firewall to limit connections from specific IPs and enable > rate limiting > - Configure tcpwrappers to limit connections from specific IPs > - Install fail2ban or denyhosts > - Add server to corporate IPS ssh-monitored host group > - etc. > > SSH password brute-forcing has been on the SANS Top 20 vulnerability > list for the past 10 years or so.
Where do we document this for our users so they can take appropriate actions? Scott K -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel