[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: is it rational to close the 139 port

On Sun, Jul 22, 2012 at 10:09 PM, Henrique de Moraes Holschuh
<hmh@debian.org> wrote:
> On Sun, 22 Jul 2012, Brian wrote:
>> The ssh and webserver daemons are available on the network. Presumably
>> this is what you want. Their security will depend on how you have
>> configured them. Debian sshd can be run safely with the default install.
>
> Sort of.  The recommended "almost worry-free" configuration for SSH nowadays
> is to have it refuse any sort of password-based autentication, and accept
> only key-based authentication (and token-based if you use kerberos or MS
> AD), *restricted* to the set of users that indeed are allowed to ssh to the
> box[1] and no root logins.  Depending on the situation, you also have to
> restrict port forwarding and agents forwarding even for authorized users.

Thank you, this is very helpful, I have never realized that.

All mine server ForwardAgent was set to yes.

Another thing I am a little concern,

I can ssh from remote server back to laptop without password.

but on the remote server, actually someone who has root privilege can
easily su lina and ssh to my laptop (sorry to assume like that, we
have a great system administrators in those servers).

my concern is that it's a good idea to put the public keys from remote
servers into my authorized_keys, just for scp convenience?
Thanks with best regards,
>
> Unfortunately, that's not something easy to automate in the general case,
> and any compromise we take will generate a lot of complains, so we ship a
> *reasonably safe* default... but last I checked, they're safe only if you
> don't ever set any easily brute-forceable passwords, etc.
>
> If you never need to SSH into the box, remove openssh-server.
>
> [1] AllowUsers foo bar.  And root must never be one of them :p
>
> --
>   "One disk to rule them all, One disk to find them. One disk to bring
>   them all and in the darkness grind them. In the Land of Redmond
>   where the shadows lie." -- The Silicon Valley Tarot
>   Henrique Holschuh
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] 20120722140926.GC6174@khazad-dum.debian.net">http://lists.debian.org/[🔎] 20120722140926.GC6174@khazad-dum.debian.net
>
Reply to: