Re: How can I secure a Debian installation?
On 01/28/2014 03:57 AM, Brian wrote:
> On Mon 27 Jan 2014 at 20:24:42 -0800, Jon Danniken wrote:
>
>> I recently came across a posting by an individual who got his
>> Debian machine compromised due to a number of security problems, one of
>> which was the default installation and running of sshd with
>> "PermitRootLogin =
>> Yes". in /etc/ssh/sshd_config.
>
> These types of posts are not unusual; what they all generally have in
> common is a lack of detail and any evidence that "PermitRootLogin = Yes"
> in itself is the cause. Having introduced a FUD factor it is now easier
> to promote alternatives without having to justify them.
>
>> So I checked the Debian installation that I put on my laptop a month ago
>> (from the Wheezy net install CD), and sure enough I had the same
>> vulnerability
>
> "PermitRootLogin = Yes" is upstream's (and Debian's) default setting; it
> is not an insecure one. You could introduce an insecurity by using
> "password1" as the root password.
>
>> (I fixed it by changing the "PermitRootLogin" value).
>
> If you have a strong password for the root login you wouldn't have fixed
> anything.
Thanks Brian, I ended up removing openssh-server, as it was not
something I needed; it was automatically installed and set up to run as
a "feature" of the live CD I used to install Debian with (installed as
part of the "live-tools" package). Fortunately I came across the posting
that alerted me to this, and have removed it from both of my machines.
If I end up using openssh in the future I will definitely use a private
key, though.
Jon
Reply to: