SSH and the Ubuntu Server
Marc Deslauriers
marc.deslauriers at canonical.com
Fri Nov 19 16:30:05 GMT 2010
On Fri, 2010-11-19 at 17:05 +0100, Soren Hansen wrote:
> On 18-11-2010 16:49, Marc Deslauriers wrote:
> > I want the person installing the server to actually make the choice
> > to install ssh in order to realize that doing so may have
> > consequences. ie: "Oh wait, If I install ssh now, I should unplug the
> > server from the network and configure ssh properly before hooking it
> > back up..."
>
> What does "configure ssh properly" usually entail? Are these some
> defaults we can change or offer as follow-on questions if people answer
> "Yes" to this dialog? (Yes, I fully realise that will very likely result
> in a net loss in usability on account of more questions asked, just
> trying to get something constructive out of this thread)
>
I think this highly depends on the environment the server is set up in,
and is beyond the scope of the installer, but typically one or more of
the following:
- Limit ssh to a specific network interface
- Disable password authentication and copy over keys
- Configure AllowUsers and/or AllowGroups
- Disable DebianBanner
- Configure a firewall to limit connections from specific IPs and enable
rate limiting
- Configure tcpwrappers to limit connections from specific IPs
- Install fail2ban or denyhosts
- Add server to corporate IPS ssh-monitored host group
- etc.
SSH password brute-forcing has been on the SANS Top 20 vulnerability
list for the past 10 years or so.
Marc.
More information about the ubuntu-devel
mailing list