[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: is it rational to close the 139 port

On Sun, 22 Jul 2012, Brian wrote:
> The ssh and webserver daemons are available on the network. Presumably
> this is what you want. Their security will depend on how you have
> configured them. Debian sshd can be run safely with the default install.

Sort of.  The recommended "almost worry-free" configuration for SSH nowadays
is to have it refuse any sort of password-based autentication, and accept
only key-based authentication (and token-based if you use kerberos or MS
AD), *restricted* to the set of users that indeed are allowed to ssh to the
box[1] and no root logins.  Depending on the situation, you also have to
restrict port forwarding and agents forwarding even for authorized users.

Unfortunately, that's not something easy to automate in the general case,
and any compromise we take will generate a lot of complains, so we ship a
*reasonably safe* default... but last I checked, they're safe only if you
don't ever set any easily brute-forceable passwords, etc.

If you never need to SSH into the box, remove openssh-server.

[1] AllowUsers foo bar.  And root must never be one of them :p

  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to: