Re: is it rational to close the 139 port
On Sun 22 Jul 2012 at 11:09:26 -0300, Henrique de Moraes Holschuh wrote:
> On Sun, 22 Jul 2012, Brian wrote:
> > The ssh and webserver daemons are available on the network. Presumably
> > this is what you want. Their security will depend on how you have
> > configured them. Debian sshd can be run safely with the default install.
>
> Sort of. The recommended "almost worry-free" configuration for SSH nowadays
> is to have it refuse any sort of password-based autentication, and accept
> only key-based authentication (and token-based if you use kerberos or MS
> AD), *restricted* to the set of users that indeed are allowed to ssh to the
> box[1] and no root logins. Depending on the situation, you also have to
> restrict port forwarding and agents forwarding even for authorized users.
>
> Unfortunately, that's not something easy to automate in the general case,
> and any compromise we take will generate a lot of complains, so we ship a
> *reasonably safe* default... but last I checked, they're safe only if you
> don't ever set any easily brute-forceable passwords, etc.
No default configuration file will ever suit everyone or fit their
needs, but the Debian sshd_config doesn't seem to me to be have any
insecure aspects to it. A strong password goes without saying, as does a
strong passphrase for key-based authentication, but there may be extra
considerations which influence the choice of one method over the other.
I'm with the Debian maintainer regarding logging in as root and have
never grasped why if a key is good enough for a user it should be less
secure for root.
Reply to: