Re: is it rational to close the 139 port
On 22/07/12 16:09, Henrique de Moraes Holschuh wrote:
> On Sun, 22 Jul 2012, Brian wrote:
>> The ssh and webserver daemons are available on the network. Presumably
>> this is what you want. Their security will depend on how you have
>> configured them. Debian sshd can be run safely with the default install.
> Sort of. The recommended "almost worry-free" configuration for SSH nowadays
> is to have it refuse any sort of password-based autentication, and accept
> only key-based authentication (and token-based if you use kerberos or MS
> AD), *restricted* to the set of users that indeed are allowed to ssh to the
> box[1] and no root logins. Depending on the situation, you also have to
> restrict port forwarding and agents forwarding even for authorized users.
>
> Unfortunately, that's not something easy to automate in the general case,
> and any compromise we take will generate a lot of complains, so we ship a
> *reasonably safe* default... but last I checked, they're safe only if you
> don't ever set any easily brute-forceable passwords, etc.
>
> If you never need to SSH into the box, remove openssh-server.
>
> [1] AllowUsers foo bar. And root must never be one of them :p
>
Beware you must be sure to keep an access to the machine before applying
the restrictions, ie. if you're dealing
with a rented server (be it physical or virtual) in a datacenter far away...
This access might be through an out of band management connection (KVM,
Idrac, ILO, or something else), but you'd better check it works before
restraining ssh access.
Reply to: