| Author |
Message |
|
|
Post subject: 2008-02 clean install .... ssh may have issues?
 Posted: Aug 22, 2008 - 07:59 AM
|
|
Joined: Apr 15, 2008
Posts: 129
Location: Australia
Status: Offline
|
|
Hi
I am a sidux and Debian newbie. I am starting to think of putting a tiger wiki up for persusal. On doing a clean install of KDE full erebos 2008-02 I noticed that the installer took only 5 minutes to complete......well done.
During that process, it asked me if I wanted cups and ssh.I am one who does not need ssh so left in unticked.
2) However, in running tiger it reported there was some issues with ssh config.
Here is the raw report for persual.
tiger report
http://h1.ripway.com/aus9/sidux/tiger-clean.txt
Default ssh config on a clean install
http://h1.ripway.com/aus9/sidux/sshd_config.txt
It appears that the main issue is your setting allows root logins.
There are of course other suggestions that include using
firewall rules to ban ips and installing denyhosts or fail2ban
I am fully aware, that your manual recommends that people have a well configured router firewall and or a system firewall....and that your ISP may block this port in any case.
FYI
3) Premature as it is still under construction, so will prolly change lots...I submit my wiki text tosuggest, I am not being completely negative in my comments
http://h1.ripway.com/aus9/sidux/wiki-tiger.txt
cheerio |
|
|
| |
|
|
|
 |
|
|
|
Post subject: RE: 2008-02 clean install .... ssh may have issues?
Posted: Aug 22, 2008 - 08:18 AM
|
|
Team Member
Joined: Nov 24, 2006
Posts: 2008
Location: w3
Status: Offline
|
|
An open port 22 cannot be used without a SSH server running on the target machine - so you are save. The Tiger report simply suggests to close unused ports, which is good practice, but not urgently necessary from a security point of view. Much more important is not to run servers you do not need/control.
Every simple router today comes with a usable hardware firewall, which should be enough security for our average desktop users. Server users however should really know what they do, otherwise they should not run a server. The 2 tools you mention(denyhosts ans fail2ban) are both ok, but need deep understanding of server administration, fine tuned configuration, and ongoing maintenance. They are definitely nothing you simply apt-get install && forget.
Forbidding root login via SSH is usual practice and a good advice, though.
Greetings,
Chris |
_________________
64bit stuff for sidux
development is life - code.zikula.org
an operating system must operate - sidux.com
|
| |
|
|
|
|
|
|
|
Post subject:
Posted: Aug 22, 2008 - 11:28 AM
|
|
Joined: Apr 15, 2008
Posts: 129
Location: Australia
Status: Offline
|
|
Chris
Thankyou for your expansive and quick reply. Maybe I need to be blunter?
I am suggesting the current sidux config for sshd has
PermitRootLogin yes
and you appear to agree it should be set to no
So I am suggesting that apart from all of the other stuff you distro gurus have to consider when building the next release, that someone change that default?
cheerio |
|
|
| |
|
|
|
|
|
|
|
Post subject:
Posted: Aug 22, 2008 - 11:57 AM
|
|
Joined: Dec 19, 2006
Posts: 1030
Status: Offline
|
|
| sidux try to modify the defaults inherited from Debian _as_little_as_possible_, therefore this request could be tendered as a wishlist bug against the openssh-server package provided by the Debian maintainer (though I suspect this may have been done before, so check the BTS). |
|
|
| |
|
|
|
|
|
|
|
Post subject:
Posted: Aug 22, 2008 - 01:49 PM
|
|
Joined: Apr 15, 2008
Posts: 129
Location: Australia
Status: Offline
|
|
kelmo
Thats handy to know. I shall slink off and do some more typing.
cheerio |
|
|
| |
|
|
|
|
|
|
