On Fri, 2010-11-19 at 13:06 -0500, Scott Kitterman wrote: > On Friday, November 19, 2010 12:40:17 pm Marc Deslauriers wrote: > > On Fri, 2010-11-19 at 17:05 +0100, Soren Hansen wrote: > > > On 18-11-2010 16:49, Marc Deslauriers wrote: > > > > I want the person installing the server to actually make the choice > > > > to install ssh in order to realize that doing so may have > > > > consequences. ie: "Oh wait, If I install ssh now, I should unplug the > > > > server from the network and configure ssh properly before hooking it > > > > back up..." > > > > > > What does "configure ssh properly" usually entail? Are these some > > > defaults we can change or offer as follow-on questions if people answer > > > "Yes" to this dialog? (Yes, I fully realise that will very likely result > > > in a net loss in usability on account of more questions asked, just > > > trying to get something constructive out of this thread) > > > > I think this highly depends on the environment the server is set up in, > > and is beyond the scope of the installer, but typically one or more of > > the following: > > > > - Limit ssh to a specific network interface > > - Disable password authentication and copy over keys > > - Configure AllowUsers and/or AllowGroups > > - Disable DebianBanner > > - Configure a firewall to limit connections from specific IPs and enable > > rate limiting > > - Configure tcpwrappers to limit connections from specific IPs > > - Install fail2ban or denyhosts > > - Add server to corporate IPS ssh-monitored host group > > - etc. > > > > SSH password brute-forcing has been on the SANS Top 20 vulnerability > > list for the past 10 years or so. > > Where do we document this for our users so they can take appropriate actions?
Same place we document everything else: in our wiki and on help.ubuntu.com. https://help.ubuntu.com/community/SSH https://help.ubuntu.com/community/SSH/OpenSSH/Configuring Marc. -- ubuntu-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
