SSH and the Ubuntu Server
Marc Deslauriers
marc.deslauriers at canonical.com
Fri Nov 19 18:22:14 UTC 2010
On Fri, 2010-11-19 at 13:06 -0500, Scott Kitterman wrote:
> On Friday, November 19, 2010 12:40:17 pm Marc Deslauriers wrote:
> > On Fri, 2010-11-19 at 17:05 +0100, Soren Hansen wrote:
> > > On 18-11-2010 16:49, Marc Deslauriers wrote:
> > > > I want the person installing the server to actually make the choice
> > > > to install ssh in order to realize that doing so may have
> > > > consequences. ie: "Oh wait, If I install ssh now, I should unplug the
> > > > server from the network and configure ssh properly before hooking it
> > > > back up..."
> > >
> > > What does "configure ssh properly" usually entail? Are these some
> > > defaults we can change or offer as follow-on questions if people answer
> > > "Yes" to this dialog? (Yes, I fully realise that will very likely result
> > > in a net loss in usability on account of more questions asked, just
> > > trying to get something constructive out of this thread)
> >
> > I think this highly depends on the environment the server is set up in,
> > and is beyond the scope of the installer, but typically one or more of
> > the following:
> >
> > - Limit ssh to a specific network interface
> > - Disable password authentication and copy over keys
> > - Configure AllowUsers and/or AllowGroups
> > - Disable DebianBanner
> > - Configure a firewall to limit connections from specific IPs and enable
> > rate limiting
> > - Configure tcpwrappers to limit connections from specific IPs
> > - Install fail2ban or denyhosts
> > - Add server to corporate IPS ssh-monitored host group
> > - etc.
> >
> > SSH password brute-forcing has been on the SANS Top 20 vulnerability
> > list for the past 10 years or so.
>
> Where do we document this for our users so they can take appropriate actions?
Same place we document everything else: in our wiki and on
help.ubuntu.com.
https://help.ubuntu.com/community/SSH
https://help.ubuntu.com/community/SSH/OpenSSH/Configuring
Marc.
More information about the ubuntu-server
mailing list