Re: Limiting attack surface for Debian sshd

To: debian-user@lists.debian.org
Subject: Re: Limiting attack surface for Debian sshd
From: Andy Smith <andy@strugglers.net>
Date: Fri, 11 Apr 2025 19:59:40 +0000
Message-id: <Z/l0rHF84CapBU5R@mail.bitfolk.com>
In-reply-to: <Z/lbflFSAPGvvIeG@alphanet.ch>
References: <Z/lbflFSAPGvvIeG@alphanet.ch>

Hi,

On Fri, Apr 11, 2025 at 08:12:14PM +0200, Marc SCHAEFER wrote:
> systemd dependancies that are activated on a Debian system imply a lot
> of library injections into sshd, much more than the stock OpenBSD ssh.
> 
> To avoid this, there seem to be two approaches:
> 
>    - remove those dependancies (see below)
> 
>    - confine the impact of those dependancies, as proposed
>      by some developpers, in having those dependancies confined
>      (not examined here)
> 
> To solve this, I could use a Bastion host with a limited, non Debian,
> OS, or I could recompile the OpenSSH package on Debian with options
> disabled.

[…]

> What do you think about this approach?

I think you're wasting your time and should not have sshd listen on the
public Internet at all, instead VPN in to your network and only have
sshd available on the inside.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Reply to:

Follow-Ups:
- Re: Limiting attack surface for Debian sshd
  - From: <tomas@tuxteam.de>

References:
- Limiting attack surface for Debian sshd
  - From: Marc SCHAEFER <schaefer@alphanet.ch>

Prev by Date: Re: Limiting attack surface for Debian sshd
Next by Date: Re: atftpd permission denied
Previous by thread: Re: Limiting attack surface for Debian sshd
Next by thread: Re: Limiting attack surface for Debian sshd
Index(es):
- Date
- Thread