Re: is it rational to close the 139 port
- From: lina <lina.lastname@xxxxxxxxx>
- Date: Sun, 22 Jul 2012 22:33:49 +0800
On Sun, Jul 22, 2012 at 10:09 PM, Henrique de Moraes Holschuh
<hmh@xxxxxxxxxx> wrote:
On Sun, 22 Jul 2012, Brian wrote:
The ssh and webserver daemons are available on the network. Presumably
this is what you want. Their security will depend on how you have
configured them. Debian sshd can be run safely with the default install.
Sort of. The recommended "almost worry-free" configuration for SSH nowadays
is to have it refuse any sort of password-based autentication, and accept
only key-based authentication (and token-based if you use kerberos or MS
AD), *restricted* to the set of users that indeed are allowed to ssh to the
box[1] and no root logins. Depending on the situation, you also have to
restrict port forwarding and agents forwarding even for authorized users.
Thank you, this is very helpful, I have never realized that.
All mine server ForwardAgent was set to yes.
Another thing I am a little concern,
I can ssh from remote server back to laptop without password.
but on the remote server, actually someone who has root privilege can
easily su lina and ssh to my laptop (sorry to assume like that, we
have a great system administrators in those servers).
my concern is that it's a good idea to put the public keys from remote
servers into my authorized_keys, just for scp convenience?
Thanks with best regards,
Unfortunately, that's not something easy to automate in the general case,
and any compromise we take will generate a lot of complains, so we ship a
*reasonably safe* default... but last I checked, they're safe only if you
don't ever set any easily brute-forceable passwords, etc.
If you never need to SSH into the box, remove openssh-server.
[1] AllowUsers foo bar. And root must never be one of them :p
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx
Archive: http://lists.debian.org/20120722140926.GC6174@xxxxxxxxxxxxxxxxxxxxx
--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx
Archive: http://lists.debian.org/CAG9cJm=Cd2qZbw06BOiZ7YCDyxjfXx9CdaoGYd1DS-3deC4afg@xxxxxxxxxxxxxx
- Follow-Ups:
- Re: is it rational to close the 139 port
- From: Andrei POPESCU
- Re: is it rational to close the 139 port
- References:
- is it rational to close the 139 port
- From: lina
- Re: is it rational to close the 139 port
- From: Stan Hoeppner
- Re: is it rational to close the 139 port
- From: lina
- Re: is it rational to close the 139 port
- From: Andrei POPESCU
- Re: is it rational to close the 139 port
- From: lina
- Re: is it rational to close the 139 port
- From: Stan Hoeppner
- Re: is it rational to close the 139 port
- From: lina
- Re: is it rational to close the 139 port
- From: Stan Hoeppner
- Re: is it rational to close the 139 port
- From: lina
- Re: is it rational to close the 139 port
- From: Brian
- Re: is it rational to close the 139 port
- From: Henrique de Moraes Holschuh
- is it rational to close the 139 port
- Prev by Date: Re: Showing hidden files (.) in gnome-shell with desktop enabled
- Next by Date: Re: Optimal Storage Server
- Previous by thread: Re: is it rational to close the 139 port
- Next by thread: Re: is it rational to close the 139 port
- Index(es):
Relevant Pages
|
