SSH and the Ubuntu Server
Scott Kitterman
ubuntu at kitterman.com
Fri Nov 19 18:06:25 UTC 2010
On Friday, November 19, 2010 12:40:17 pm Marc Deslauriers wrote:
> On Fri, 2010-11-19 at 17:05 +0100, Soren Hansen wrote:
> > On 18-11-2010 16:49, Marc Deslauriers wrote:
> > > I want the person installing the server to actually make the choice
> > > to install ssh in order to realize that doing so may have
> > > consequences. ie: "Oh wait, If I install ssh now, I should unplug the
> > > server from the network and configure ssh properly before hooking it
> > > back up..."
> >
> > What does "configure ssh properly" usually entail? Are these some
> > defaults we can change or offer as follow-on questions if people answer
> > "Yes" to this dialog? (Yes, I fully realise that will very likely result
> > in a net loss in usability on account of more questions asked, just
> > trying to get something constructive out of this thread)
>
> I think this highly depends on the environment the server is set up in,
> and is beyond the scope of the installer, but typically one or more of
> the following:
>
> - Limit ssh to a specific network interface
> - Disable password authentication and copy over keys
> - Configure AllowUsers and/or AllowGroups
> - Disable DebianBanner
> - Configure a firewall to limit connections from specific IPs and enable
> rate limiting
> - Configure tcpwrappers to limit connections from specific IPs
> - Install fail2ban or denyhosts
> - Add server to corporate IPS ssh-monitored host group
> - etc.
>
> SSH password brute-forcing has been on the SANS Top 20 vulnerability
> list for the past 10 years or so.
Where do we document this for our users so they can take appropriate actions?
Scott K
More information about the ubuntu-server
mailing list