[opensuse-factory] request for comments: disable ssh daemon by default
Hi, We are thinking about disabling the ssh daemon by default. Reason is that it most desktop users do not use it all and it is just taking away memory for those, and also presenting an attack surface once the firewall is disabled. Also its is blocked by the firewall from remote by default. Reenabling it would be as simble as: insserv sshd rcsshd start We are still undecided whether to do so or not. Ciao, Marcus -- Working, but not speaking, for the following german company: SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Fri, Mar 28, 2008 at 03:28:59PM +0100, Marcus Meissner wrote:
Hi,
We are thinking about disabling the ssh daemon by default.
Reason is that it most desktop users do not use it all and it is just taking away memory for those, and also presenting an attack surface once the firewall is disabled.
Why not combine it with the firewall setting?
IIRC there is already the option to open the SSH port in the
network setup during installation so simply start sshd when the
port is opened there.
Or make an extra item in the network setup for SSH just like for
VNC (or combine those two).
cu
Arvin
--
Arvin Schnell,
Arvin Schnell wrote:
On Fri, Mar 28, 2008 at 03:28:59PM +0100, Marcus Meissner wrote:
Hi,
We are thinking about disabling the ssh daemon by default.
Reason is that it most desktop users do not use it all and it is just taking away memory for those, and also presenting an attack surface once the firewall is disabled.
Why not combine it with the firewall setting?
IIRC there is already the option to open the SSH port in the network setup during installation so simply start sshd when the port is opened there.
+1 Users who use ssh will in general know about the firewall etc. too, others probably shouldn't have it enabled. Having said that - surely the memory footprint must be fairly small, and ssh security bugs are fairly rare ! ;-)
Or make an extra item in the network setup for SSH just like for VNC (or combine those two).
Combining them makes sense - my argument above applies here too. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Richard (MQ) wrote:
Having said that - surely the memory footprint must be fairly small, and ssh security bugs are fairly rare ! ;-)
An open sshd behind an open firewall will be under brute force attack in about 23 milliseconds after going on-line :-) /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Per Jessen wrote:
Richard (MQ) wrote:
Having said that - surely the memory footprint must be fairly small, and ssh security bugs are fairly rare ! ;-)
An open sshd behind an open firewall will be under brute force attack in about 23 milliseconds after going on-line :-)
/Per Jessen, Zürich
That's for certain. I had one occasion when I went to a relative's home armed with CD's to get his box up to date, only to find I didn't have everything with me, so on the next occasion, I enabled the ssh port on my smoothwall box so I could get to the stuff remotely. A few days later I remembered it was open and there were numerous attempts at a break in, all failed. It still has it's uses, alternatively there is openVPN which I haven't looked at in a while. The last time I just couldn't get it configured to work to a friend's box, whereas Cisco VPN client was a success for getting into our corporate systems working from home or dialling in via a private ISP from customer sites. Regards Sid. -- Sid Boyce ... Hamradio License G3VBV, Licensed Private Pilot Emeritus IBM/Amdahl Mainframes and Sun/Fujitsu Servers Tech Support Specialist, Cricket Coach Microsoft Windows Free Zone - Linux used for all Computing Tasks --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2008-03-29 at 07:20 -0000, Sid Boyce wrote:
An open sshd behind an open firewall will be under brute force attack in about 23 milliseconds after going on-line :-)
That's for certain. I had one occasion when I went to a relative's home armed with CD's to get his box up to date, only to find I didn't have everything with me, so on the next occasion, I enabled the ssh port on my smoothwall box so I could get to the stuff remotely. A few days later I remembered it was open and there were numerous attempts at a break in, all failed.
Another option would be to stop sshd if the user stops/dissables the firewall. Or rather stop all network services! :-P And to open it in the firewall with the "FW_SERVICES_ACCEPT_EXT" option. That could be another can of worms, perhaps... :-? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFH7hu/tTMYHG2NR9URAqZrAKCIGZ7P+Nn7bjGM2dVm59SjR47xVwCfQxOS lHwmT9BssdzMk1nkNdO8mGw= =lfkM -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Sid Boyce wrote:
Per Jessen wrote:
Richard (MQ) wrote:
Having said that - surely the memory footprint must be fairly small, and ssh security bugs are fairly rare ! ;-)
An open sshd behind an open firewall will be under brute force attack in about 23 milliseconds after going on-line :-)
/Per Jessen, Zürich
That's for certain. I had one occasion when I went to a relative's home armed with CD's to get his box up to date, only to find I didn't have everything with me, so on the next occasion, I enabled the ssh port on my smoothwall box so I could get to the stuff remotely. A few days later I remembered it was open and there were numerous attempts at a break in, all failed. It still has it's uses, alternatively there is openVPN which I haven't looked at in a while. The last time I just couldn't get it configured to work to a friend's box, whereas Cisco VPN client was a success for getting into our corporate systems working from home or dialling in via a private ISP from customer sites. Regards Sid.
I do accept that any port open to the external internet will be bombarded by attacks, which is why we have firewalls. My feeling is that it is verging on reckless to connect a modem directly to a workstation, that's why I too run a Smoothwall box (and very impressed with it). I know of quite a few people with poorly patched MS-lumbered PCs connected directly and yes, they often have problems. I'd even suggest that this is close to being the normal situation in the world at large, though probably not for OpenSuSE users. I don't suppose there's any survey data? Maybe a better solution is to leave it installed and enabled, but catch a user disabling the local firewall in YaST and pop up a box "are you sure you know what you're doing", maybe listing the open ports at the same time. Within small LANs it can be useful to disable it completely, but in a more public environment it's plain foolish. This one will continue to run and run I'm sure! -- Cheers Richard (MQ) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2008-03-29 at 11:52 -0000, Richard (MQ) wrote:
Maybe a better solution is to leave it installed and enabled, but catch a user disabling the local firewall in YaST and pop up a box "are you sure you know what you're doing", maybe listing the open ports at the same time.
Request his Network Driving License Number. :-) At least, a very obnoxious pop up in intermitent red, one that you have to type "yes" ("enter" is not valid), and better if it is one that runs away when the mouse gets near. :-p - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFH7jULtTMYHG2NR9URAjsEAJ4ozTMCi9FKR397Ia7EAo/5MCMNxACfT9al Du4zaFpmbmQHzVh2QUs5ito= =1WfQ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Richard (MQ) schreef:
Arvin Schnell wrote:
On Fri, Mar 28, 2008 at 03:28:59PM +0100, Marcus Meissner wrote:
Hi,
We are thinking about disabling the ssh daemon by default.
Reason is that it most desktop users do not use it all and it is just taking away memory for those, and also presenting an attack surface once the firewall is disabled.
Why not combine it with the firewall setting?
IIRC there is already the option to open the SSH port in the network setup during installation so simply start sshd when the port is opened there.
+1
Users who use ssh will in general know about the firewall etc. too, others probably shouldn't have it enabled.
Having said that - surely the memory footprint must be fairly small, and ssh security bugs are fairly rare ! ;-)
Or make an extra item in the network setup for SSH just like for VNC (or combine those two).
Combining them makes sense - my argument above applies here too.
As i am not mistaken, this is already so. As i don't use the firewall, because my Lan is unaccessible when it is on, i turn it off when concluding the install. When i do that, ssh closes. -- Enjoy your time around, Oddball (Now or never...) Besturingssysteem: Linux 2.6.25-rc5-git2-5-default x86_64 Current user: oddball@AMD64x2-sfn1 System: openSUSE 11.0 (x86_64) Alpha3 KDE: 4.00.66 (KDE 4.0.66 >= 20080313) "release 6.1" --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Marcus Meissner wrote:
Hi,
We are thinking about disabling the ssh daemon by default.
Reason is that it most desktop users do not use it all
Then don't install sshd at all. Make it part of a "mostly-server" pattern which isn't selected if people select "most-desktop" mode. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Hello, Per Jessen írta:
Then don't install sshd at all. Make it part of a "mostly-server" pattern which isn't selected if people select "most-desktop" mode.
Well, I'm writing this from my 'mostly-desktop' machine, still I find sshd essential in my daily routine. Practical example: scp the content of /var/log/YaST2 during installation to my desktop, so I can upload logs with a bugreport. So, even if is not enabled by default, it should be easy to enable it, without going through a detailed package selection. CzP --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Peter Czanik wrote:
Hello,
Per Jessen írta:
Then don't install sshd at all. Make it part of a "mostly-server" pattern which isn't selected if people select "most-desktop" mode.
Well, I'm writing this from my 'mostly-desktop' machine, still I find sshd essential in my daily routine. Practical example: scp the content of /var/log/YaST2 during installation to my desktop, so I can upload logs with a bugreport. So, even if is not enabled by default, it should be easy to enable it, without going through a detailed package selection. CzP
Agree - but I don't see any reason for changing it at all. An unused sshd uses very little memory, and whatever it does use is very quickly swapped out. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Per Jessen wrote:
Agree - but I don't see any reason for changing it at all. An unused sshd uses very little memory, and whatever it does use is very quickly swapped out.
Having thought a litle more about it, I definitely vote no - that change would have only negligible effect for desktop-only/mostly users, whereas it would only create additional work for any server-install. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Fri, Mar 28, 2008 at 12:34 PM, Per Jessen
Per Jessen wrote:
Agree - but I don't see any reason for changing it at all. An unused sshd uses very little memory, and whatever it does use is very quickly swapped out.
Having thought a litle more about it, I definitely vote no - that change would have only negligible effect for desktop-only/mostly users, whereas it would only create additional work for any server-install.
Having thought a litle more about it, I definitely vote yes - that change would have only negligible effect for any server-install users, whereas it would not create additional work for desktop-only/mostly newbies with a better default setting. Best Regards Marcio
/Per Jessen, Zürich
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Druid wrote:
Having thought a litle more about it, I definitely vote yes - that change would have only negligible effect for any server-install users, whereas it would not create additional work for desktop-only/mostly newbies with a better default setting.
What exactly is "better" about not starting sshd by default? Marcus' memory argument is a non-argument IMHO. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Fri, Mar 28, 2008 at 1:37 PM, Per Jessen
Druid wrote:
Having thought a litle more about it, I definitely vote yes - that change would have only negligible effect for any server-install users, whereas it would not create additional work for desktop-only/mostly newbies with a better default setting.
What exactly is "better" about not starting sshd by default?
Erm, the same thing that is better not having any remote service opened by default? The fact that it could have a vulnerability that could lead to a successful attack? Its pretty clear why not having a service running by default (specially those offering it to the outside world) is better than the opposite, if you dont see that possibly you just don't want to see. Its the same reason we dont see apaches, telnetd's, mysqls, ntpds, etc running by default. Now you want to convince everyone that everybody ssh to their own boxes running sshd all the time, and that this is the default usecase around the planet, just because you dont want to run "insserv sshd" once, and additionally its better to change the Earth's rotation instead of you typing those 13 keystrokes (including the enter) so you activate your sshd. Except for me, I can rarely find someone ssh'ing to their boxes, except when those boxes are shared servers, in which case the damn admin might as well have the knowledge to start or stop an ssh daemon. Marcio --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Druid wrote:
On Fri, Mar 28, 2008 at 1:37 PM, Per Jessen
wrote: Druid wrote:
Having thought a litle more about it, I definitely vote yes - that change would have only negligible effect for any server-install users, whereas it would not create additional work for desktop-only/mostly newbies with a better default setting.
What exactly is "better" about not starting sshd by default?
Erm, the same thing that is better not having any remote service opened by default? The fact that it could have a vulnerability that could lead to a successful attack?
Doesn't seem to have been much of a problem in the last few years, has it? Also, ssh only becomes vulnerable to an attack when you open the port in the firewall. Even then there is probably still a rate-check to stop brute force attacks.
Its pretty clear why not having a service running by default (specially those offering it to the outside world) is better than the opposite, if you dont see that possibly you just don't want to see.
If that argument was correct, we should let the user run the init-sequence manually.
Now you want to convince everyone that everybody ssh to their own boxes running sshd all the time,
No, I don't. I just don't think it's good idea to change the current setup when the change doesn't bring about an improvement.
and that this is the default usecase around the planet, just because you dont want to run "insserv sshd" once, and additionally its better to change the Earth's rotation instead of you typing those 13 keystrokes (including the enter) so you activate your sshd.
You're not listening. I'm NOT advocating any change. You're the one who wants a change. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Erm, the same thing that is better not having any remote service opened by default? The fact that it could have a vulnerability that could lead to a successful attack?
Doesn't seem to have been much of a problem in the last few years, has it? Also, ssh only becomes vulnerable to an attack when you open the port in the firewall. Even then there is probably still a rate-check to stop brute force attacks.
As Ive said, its crystal clear whats better about not having a remote service running. Your usecase assumes everyone is behind a firewall, what if they are not? And just because ssh didnt have lots of problems, then we should assume it wont have? Its very silly that comment. We should look at the services and say "nay, wont try to secure that one, seems it wont need... this one, wow this one I will secure, seem its a naughty one". If you can open a port in your firewall, you can start ssh. And one of the two remote exploitable bugs in 10 years in openbsd was in openssh. But as I've mentioned early, this doesnt matter.
Its pretty clear why not having a service running by default (specially those offering it to the outside world) is better than the opposite, if you dont see that possibly you just don't want to see.
If that argument was correct, we should let the user run the init-sequence manually.
That argument is correct, and doesnt imply in what you've just said, its a matter of logic.
Now you want to convince everyone that everybody ssh to their own boxes running sshd all the time,
No, I don't. I just don't think it's good idea to change the current setup when the change doesn't bring about an improvement.
It brings an improvement, it was explained more or less 9 times in this thread.
You're not listening. I'm NOT advocating any change. You're the one who wants a change.
Exactly, the n-1 persons who commented in this thread (by n-1 I mean all except you) thinks its better pratice to turn off the service, as its a good pratice since internet started. And your argument for that is that openssh doesnt have bugs, which is at least naive. Its silly because one doesnt secure systems based on the amount of "secureness" of the service, you dont assume that, you assume the worst case, which is that the service will eventually have a bug. And besides that, ssh can be exploited without a bug, simply by bruteforcing it... root is enabled to log by default iirc, and you already have a user, all you need is a password now. Marcio --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Druid wrote:
Now you want to convince everyone that everybody ssh to their own boxes running sshd all the time,
No, I don't. I just don't think it's good idea to change the current setup when the change doesn't bring about an improvement.
It brings an improvement, it was explained more or less 9 times in this thread.
Nobody has described any _actual_ improvements. Running sshd behind the default firewall does not make the system any less secure, and it does not waste any memory when it isn't used.
And your argument for that is that openssh doesnt have bugs, which is at least naive.
Where did I say that? Marcio, you're making things up. Thanks for the discussion. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Sat 29 Mar 2008 06:10:43 NZDT +1300, Per Jessen wrote:
Erm, the same thing that is better not having any remote service opened by default? The fact that it could have a vulnerability that could lead to a successful attack?
Doesn't seem to have been much of a problem in the last few years, has it? Also, ssh only becomes vulnerable to an attack when you open the port in the firewall.
This is the case Markus wants to protect against. People turn off the firewall for their desktops because it blocks too much LAN functionality by default (mostly broadcasts about available services, at a guess). With the default setting of password-login and the weak passwords on desktops sshd becomes a BIG HOLE(TM) very quickly, and nothing to do with coding errors.
Even then there is probably still a rate-check to stop brute force attacks.
Not by default (though there should be), you'll have to go out of your way to configure that. Someone who doesn't use sshd won't be doing that. Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Hi, On Sat, 29 Mar 2008, Volker Kuhlmann wrote:
On Sat 29 Mar 2008 06:10:43 NZDT +1300, Per Jessen wrote:
Erm, the same thing that is better not having any remote service opened by default? The fact that it could have a vulnerability that could lead to a successful attack?
Doesn't seem to have been much of a problem in the last few years, has it? Also, ssh only becomes vulnerable to an attack when you open the port in the firewall.
This is the case Markus wants to protect against. People turn off the firewall for their desktops because it blocks too much LAN functionality by default (mostly broadcasts about available services, at a guess). With the default setting of password-login and the weak passwords on desktops sshd becomes a BIG HOLE(TM) very quickly, and nothing to do with coding errors.
No problem currently. "Initial state" is firewall enabled, ssh disabled. So simply to disable the firewall does not create a hole regarding ssh - it is even removing the field to click "enable ssh". Very very security aware already... My standard procedure is: 1. enable ssh 2. disable firewall and I won't miss this easy way.
Even then there is probably still a rate-check to stop brute force attacks.
Not by default (though there should be), you'll have to go out of your way to configure that. Someone who doesn't use sshd won't be doing that.
Pamshield could do it, but we have this rate-checking at the router's firewall. A good "sshd: ALL EXCEPT ..." line in /etc/hosts.deny would do it too. Viele Grüße Eberhard Mönkeberg (emoenke@gwdg.de, em@kki.org)
On Sat, 2008-03-29 at 09:30 +1300, Volker Kuhlmann wrote:
This is the case Markus wants to protect against. People turn off the firewall for their desktops because it blocks too much LAN functionality by default (mostly broadcasts about available services, at a guess). With the default setting of password-login and the weak passwords on desktops sshd becomes a BIG HOLE(TM) very quickly, and nothing to do with coding errors.
If some people (i don't know any) think it is wise to turn off their firewall, AND have by then an open exposure from Internet, THEY should turn off their ssh-daemon. Most desktop users i know of, are behind a dedicated firewall, either in their dsl-modem or a "multi-purpose" firewall. I would rather see a bunch of people with an idle ssh-daemon, than people who need remote access starting the R-services again.... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Volker Kuhlmann wrote:
On Sat 29 Mar 2008 06:10:43 NZDT +1300, Per Jessen wrote:
Erm, the same thing that is better not having any remote service opened by default? The fact that it could have a vulnerability that could lead to a successful attack?
Doesn't seem to have been much of a problem in the last few years, has it? Also, ssh only becomes vulnerable to an attack when you open the port in the firewall.
This is the case Markus wants to protect against. People turn off the firewall for their desktops because it blocks too much LAN functionality by default (mostly broadcasts about available services, at a guess).
If you're on a LAN, you don't really need a firewall, do you?
Even then there is probably still a rate-check to stop brute force attacks.
Not by default (though there should be), you'll have to go out of your way to configure that. Someone who doesn't use sshd won't be doing that.
I don't use the openSUSE firewall, but setting up a rate-check is only 3 iptables entries. iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: ' iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT This one rejects anyone with 6 login attempts within 60 seconds. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Per Jessen wrote:
Volker Kuhlmann wrote:
On Sat 29 Mar 2008 06:10:43 NZDT +1300, Per Jessen wrote:
Erm, the same thing that is better not having any remote service opened by default? The fact that it could have a vulnerability that could lead to a successful attack?
Doesn't seem to have been much of a problem in the last few years, has it? Also, ssh only becomes vulnerable to an attack when you open the port in the firewall.
This is the case Markus wants to protect against. People turn off the firewall for their desktops because it blocks too much LAN functionality by default (mostly broadcasts about available services, at a guess).
If you're on a LAN, you don't really need a firewall, do you?
and an open sshd isn't really a risk on a LAN. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
If you're on a LAN, you don't really need a firewall, do you?
and an open sshd isn't really a risk on a LAN.
Hi, Thanks for your multiple inputs, but please have two things in mind: 1) Your personal experience is not exactly the common case, in which we should focus. Understand that. Try to think outside of your universe. What people want here is the common case, what would be best for the majority of the users, specially those with less linux knowledge. 2) You dont have enough imagination to think of different usecases, thats why you come saying anything is not a problem, its because you cant see the problem, its not because the problem isnt there. I will, once again, show a use case for a problem you say supposedly doesnt exist. You are in a public hotspot and then you are in a lan and another laptop could bruteforce the ssh. There you have it, a lan in which you dont trust the other peers. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
2008/3/29, Druid
If you're on a LAN, you don't really need a firewall, do you?
and an open sshd isn't really a risk on a LAN.
Hi,
Thanks for your multiple inputs, but please have two things in mind: 1) Your personal experience is not exactly the common case, in which we should focus. Understand that. Try to think outside of your universe. What people want here is the common case, what would be best for the majority of the users, specially those with less linux knowledge. 2) You dont have enough imagination to think of different usecases, thats why you come saying anything is not a problem, its because you cant see the problem, its not because the problem isnt there.
I will, once again, show a use case for a problem you say supposedly doesnt exist. You are in a public hotspot and then you are in a lan and another laptop could bruteforce the ssh. There you have it, a lan in which you dont trust the other peers.
Desktop case: I have it enabled even on my laptop. Server case: It would be really annoying to install a new rack-mounted-headless-server through VNC and having to pull some monitor/serial console from somewhere else to enable ssh access (given it's a really crowded server room with few consoles). General case (given you are considering disabling sshd, not my choice): Disable it by default BUT add an option to enable it DURING installation, that way all the security hooligans will be happy, server admins will require a quick extra step and newbies will leave everything as default (as usually). Regards, Ciro --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Ciro Iriarte wrote:
General case (given you are considering disabling sshd, not my choice): Disable it by default BUT add an option to enable it DURING installation, that way all the security hooligans will be happy, server admins will require a quick extra step and newbies will leave everything as default (as usually).
That plus the sensible default of always leaving it active when the install was done remotely. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Druid wrote:
If you're on a LAN, you don't really need a firewall, do you?
and an open sshd isn't really a risk on a LAN.
Hi,
Thanks for your multiple inputs, but please have two things in mind: 1) Your personal experience is not exactly the common case, in which we should focus. Understand that.
Please, do you really find it necessary to be so condescending? Wrt understanding, I would suggest you try to understand that _you_ do not define what _we_ should focus on.
What people want here is the common case, what would be best for the majority of the users, specially those with less linux knowledge.
Who says that? (apart from yourself).
2) You dont have enough imagination to think of different usecases, thats why you come saying anything is not a problem, its because you cant see the problem, its not because the problem isnt there.
Please don't tell what I do and do not have and can and cannot see. It's none of your business. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Please, do you really find it necessary to be so condescending?
Wrt understanding, I would suggest you try to understand that _you_ do not define what _we_ should focus on.
It is necessary, because you are avoiding that like a cat avoids water. Half of the emails in this thread are oppinions, which Marcus asked, the other are your emails stating wrong stuff.
What people want here is the common case, what would be best for the majority of the users, specially those with less linux knowledge.
Who says that? (apart from yourself).
If Marcus asked the people's oppinion about sshd being disabled by *default*, I think its pretty clear that the DEFAULT is what works for most people, and usually the DEFAULT goal is to make it better and more secure for everyone, specially those who have less linux knowledge.
2) You dont have enough imagination to think of different usecases, thats why you come saying anything is not a problem, its because you cant see the problem, its not because the problem isnt there.
Please don't tell what I do and do not have and can and cannot see. It's none of your business.
Sorry, I have to, you are repeatedly stating wrong information to justify your statements, and that can be misleading. Wish there was a better way... Since you will probably ask, let me put some of your wrong assumptions in here so I dont need to give another reply: - Saying there is no problem with ssh on lan, because a LAN is secure - Saying you dont need a firewall in a LAN - Saying there is no problem with sshd running because sshd is secure - Ignoring that an sshd attack doesnt need a security hole, could be ddos or brute force - Assuming there is no problem with sshd running because there will be a firewall - Ignoring its good practice to have external services enabled as a minimum - Stating that its better a newbie user to (potentially) deal with security by disabling sshd, instead of letting him not worry about and a server admin worry about enabling it if he needs to I just saw you sent a new email, so I will add another reason: - You're blaming a newbie because he doesnt know security. He is a NEWBIE, of course he doesnt know security. Thats why people desiging their stuff should think of a secure default. And just so you dont say its a random attack, I will, yet another n-th time, give a use case on why a firewall would be disable by a newbie by accident or naivety: - A newbie wants to play a game or share files with a friend in a notebook. Its well known that samba, zeroconf and some nfs setups are very firewall unfriendly, not to mention a user using network manager could have trouble while switching from a network to another (for example, at home he wants to share with a windows pc, so he disable the firewall, and then he goes to work, in a bad lan). Why blaming a newbie for being a newbie? Regards Marcio --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Druid wrote:
Please, do you really find it necessary to be so condescending?
Wrt understanding, I would suggest you try to understand that _you_ do not define what _we_ should focus on.
It is necessary, because you are avoiding that like a cat avoids water.
Welcome to my killfile. Plonk. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Druid wrote:
I will, once again, show a use case for a problem you say supposedly doesnt exist. You are in a public hotspot and then you are in a lan and another laptop could bruteforce the ssh. There you have it, a lan in which you dont trust the other peers.
I apologise for leaving out the word "trusted" in my earlier posting about not needing a firewall when you're on a LAN. Obviously, if your computer is connected to any kind of _untrusted_ network, you should be running a firewall. We are talking about a problem that _only_ becomes a problem after the user has _disabled_ the firewall. If you're brave or stupid enough to do that when your machine is connected to an untrusted network, you're beyond help. IMHO. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Personnally i keep sshd running, but otoh, for newby-users, like Marcus suggested, have installed, but turned off, (other daemons like telnet or ftp are not running by default either) Another suggestion, for default sshd config 1) only enable ssh2 protocol, now both ssh1 and ssh2 are enabled. Protocol Specifies the protocol versions sshd supports. ==> The default is “2,1”. <== 2) disable PasswordAuthentication Specifies whether password authentication is allowed. ==> The default is “yes”. <== If you need remote access to a system, take the time to distribute a lengthy asymetric key (longer than the default), protected by long enough pass-phrase 3) disable root access. PermitRootLogin Specifies whether root can log in using ssh ==> The default is “yes”. <== Horrible!! 4) restrict access with "AllowUsers" This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. ==> By default, login is allowed for all users. <== Suggestion 1 & 3 should have little or no impact. 2) would only cause some seconds extra work for admin's... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Sun, Mar 30, 2008 at 03:48:21PM +0200, Hans Witvliet wrote:
Personnally i keep sshd running, but otoh, for newby-users, like Marcus suggested, have installed, but turned off, (other daemons like telnet or ftp are not running by default either)
Another suggestion, for default sshd config 1) only enable ssh2 protocol, now both ssh1 and ssh2 are enabled. Protocol Specifies the protocol versions sshd supports. ==> The default is “2,1”. <==
This is already done for 10.3 and newer ... They only have 2 as default.
2) disable PasswordAuthentication Specifies whether password authentication is allowed. ==> The default is “yes”. <==
If you need remote access to a system, take the time to distribute a lengthy asymetric key (longer than the default), protected by long enough pass-phrase
This is not really userfriendly, so I do not think we will do this.
3) disable root access. PermitRootLogin Specifies whether root can log in using ssh ==> The default is “yes”. <== Horrible!!
This would be an idea.
4) restrict access with "AllowUsers" This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. ==> By default, login is allowed for all users. <==
Not userfriendly either.
Suggestion 1 & 3 should have little or no impact. 2) would only cause some seconds extra work for admin's...
I will bring up the "PermitRootLogin: false" idea. Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
2008/3/30, Marcus Meissner
On Sun, Mar 30, 2008 at 03:48:21PM +0200, Hans Witvliet wrote:
Personnally i keep sshd running, but otoh, for newby-users, like Marcus suggested, have installed, but turned off, (other daemons like telnet or ftp are not running by default either)
Another suggestion, for default sshd config 1) only enable ssh2 protocol, now both ssh1 and ssh2 are enabled. Protocol Specifies the protocol versions sshd supports. ==> The default is "2,1". <==
This is already done for 10.3 and newer ... They only have 2 as default.
Cool
2) disable PasswordAuthentication Specifies whether password authentication is allowed. ==> The default is "yes". <==
If you need remote access to a system, take the time to distribute a lengthy asymetric key (longer than the default), protected by long enough pass-phrase
This is not really userfriendly, so I do not think we will do this.
I use a private key, but I second this..
3) disable root access. PermitRootLogin Specifies whether root can log in using ssh ==> The default is "yes". <== Horrible!!
This would be an idea.
That would be annoying, I have some servers were I don't have regular users or LDAP authentication (not all of them need to in our datacenter) and with this disabled I still would need to pull a serial console from somewhere to change this and have access to the headless server even though the sshd is up and running after installation (remote installation case)
4) restrict access with "AllowUsers" This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. ==> By default, login is allowed for all users. <==
Not userfriendly either.
Probably...
Suggestion 1 & 3 should have little or no impact. 2) would only cause some seconds extra work for admin's...
I will bring up the "PermitRootLogin: false" idea.
Ciao, Marcus
Regards, Ciro --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Sun, 2008-03-30 at 22:24 -0400, Ciro Iriarte wrote:
2) disable PasswordAuthentication Specifies whether password authentication is allowed. ==> The default is "yes". <==
If you need remote access to a system, take the time to distribute a lengthy asymetric key (longer than the default), protected by long enough pass-phrase
This is not really userfriendly, so I do not think we will do this.
I use a private key, but I second this..
Perhaps at present.... Maybe in the future, a nice and safe pair of keys can be generated automagically when creating user-accounts....
3) disable root access. PermitRootLogin Specifies whether root can log in using ssh ==> The default is "yes". <== Horrible!!
This would be an idea.
That would be annoying, I have some servers were I don't have regular users or LDAP authentication (not all of them need to in our datacenter) and with this disabled I still would need to pull a serial console from somewhere to change this and have access to the headless server even though the sshd is up and running after installation (remote installation case)
Why annoying? It only implied that for *remote* logins, you have to use a oridinary user-account, and then do a "su -" or a "sudo" Anyway, it was a suggestion for the _default_ config, People like you, who know what you're doing, can change it easily anyway they want.
4) restrict access with "AllowUsers" This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. ==> By default, login is allowed for all users. <==
Not userfriendly either.
Agreed. Easy access to remote (not local) systems and security are at opposite sides of the spectrum.
hw --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
2008/3/31, Hans Witvliet
On Sun, 2008-03-30 at 22:24 -0400, Ciro Iriarte wrote:
3) disable root access. PermitRootLogin Specifies whether root can log in using ssh ==> The default is "yes". <== Horrible!!
This would be an idea.
That would be annoying, I have some servers were I don't have regular users or LDAP authentication (not all of them need to in our datacenter) and with this disabled I still would need to pull a serial console from somewhere to change this and have access to the headless server even though the sshd is up and running after installation (remote installation case)
Why annoying? It only implied that for *remote* logins, you have to use a oridinary user-account, and then do a "su -" or a "sudo" Anyway, it was a suggestion for the _default_ config, People like you, who know what you're doing, can change it easily anyway they want.
If you have to move hardware around just to change a line in the ssh configuration, it is annoying. Regarding the regular user, as I stated before, not all servers need regular users, think about a cyrus imap black-box server... I'm just giving my impressions...
hw
Regards, Ciro --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Tue, Apr 1, 2008 at 4:45 AM, "Ciro Iriarte"
wrote: If you have to move hardware around just to change a line in the ssh configuration, it is annoying. Regarding the regular user, as I stated before, not all servers need regular users, think about a cyrus imap black-box server... I'm just giving my impressions...
What stops you from having your own corp wide admin user in this case? and I'd suggest to name it somewhat non trivial already. root is most likely one of the most tried login attempts to my ssh daemon. so even though I need root right, I would never ever allow it to log in directly via SSH. call me paranoid, but I prefer somebody hacking in a dummy user account and then having to break a su password in plus. And the log file of failed login attempts shows me it's not the worst to do... why have them 'only' guess the password, if I can have them guess user AND password combinations? An alternative of course would be to rename root. Dominique --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Le mardi 01 avril 2008, à 10:44 +0200, Dominique Leuenberger a écrit :
On Tue, Apr 1, 2008 at 4:45 AM, "Ciro Iriarte"
wrote: If you have to move hardware around just to change a line in the ssh configuration, it is annoying. Regarding the regular user, as I stated before, not all servers need regular users, think about a cyrus imap black-box server... I'm just giving my impressions...
What stops you from having your own corp wide admin user in this case? and I'd suggest to name it somewhat non trivial already. root is most likely one of the most tried login attempts to my ssh daemon. so even though I need root right, I would never ever allow it to log in directly via SSH.
call me paranoid, but I prefer somebody hacking in a dummy user account and then having to break a su password in plus. And the log file of failed login attempts shows me it's not the worst to do... why have them 'only' guess the password, if I can have them guess user AND password combinations? An alternative of course would be to rename root.
I agree. Allowing root login via ssh and password authentication at the same time by default sounds like a "please try some brute force attack" invitation to me :-) Vincent -- Les gens heureux ne sont pas pressés. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Ciro Iriarte wrote:
Regarding the regular user, as I stated before, not all servers need regular users, think about a cyrus imap black-box server... I'm just giving my impressions...
But if policy was "no root logins via ssh", all servers _would_ need a regular user login. Having a regular user account vs. having ssh open for root login sounds quite a bit safer to me, from a probabily pov. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2008-03-30 at 16:26 +0200, Marcus Meissner wrote:
3) disable root access. PermitRootLogin Specifies whether root can log in using ssh ==> The default is “yes”. <== Horrible!!
This would be an idea.
...
I will bring up the "PermitRootLogin: false" idea.
I think that option was changed for a few versions, time ago, and then changed back. I'm not absolutely sure, though. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFH8NOCtTMYHG2NR9URAt5ZAJ9EQtJYfTwv//V0td3cWjkE++aFRwCfZq0v 1PZeJLJyZywjWys3/4tvJYI= =Glck -----END PGP SIGNATURE-----
Per Jessen pecked at the keyboard and wrote:
Volker Kuhlmann wrote:
On Sat 29 Mar 2008 06:10:43 NZDT +1300, Per Jessen wrote:
Erm, the same thing that is better not having any remote service opened by default? The fact that it could have a vulnerability that could lead to a successful attack? Doesn't seem to have been much of a problem in the last few years, has it? Also, ssh only becomes vulnerable to an attack when you open the port in the firewall. This is the case Markus wants to protect against. People turn off the firewall for their desktops because it blocks too much LAN functionality by default (mostly broadcasts about available services, at a guess).
If you're on a LAN, you don't really need a firewall, do you?
Not as long as your LAN is behind a reliable firewall and you trust the others on your LAN. -- Ken Schneider SuSe since Version 5.2, June 1998 --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2008-03-29 at 15:39 +0100, Per Jessen wrote:
If you're on a LAN, you don't really need a firewall, do you?
Of course we do. The worst attacks come from inside. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFH7mU+tTMYHG2NR9URAjxtAJ4lww5KODpaXHc86KMoFGVjcj03xwCeJyxR exfCBAkUMtMXik4+MBRnNjA= =BGTP -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Carlos E. R. wrote:
The Saturday 2008-03-29 at 15:39 +0100, Per Jessen wrote:
If you're on a LAN, you don't really need a firewall, do you?
Of course we do. The worst attacks come from inside.
Carlos, you're joking, right? I have zero attacks from the inside, but plenty from the outside. In the last week, just one of my systems had 126062 ssh attacks from 41 unique IPs. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Sat, 2008-03-29 at 17:33 +0100, Per Jessen wrote:
Carlos E. R. wrote:
The Saturday 2008-03-29 at 15:39 +0100, Per Jessen wrote:
If you're on a LAN, you don't really need a firewall, do you?
Of course we do. The worst attacks come from inside.
Carlos, you're joking, right? I have zero attacks from the inside, but plenty from the outside. In the last week, just one of my systems had 126062 ssh attacks from 41 unique IPs.
/Per Jessen, Zürich
Unfortunately, he used a poor choice of words to lump two separate concepts together. Attacks are a higher risk coming from the outside. They tend to be random, looking for an open port somewhere. Internally, its not an attack but more of a security control risk where individuals given certain amount of leeway or authority have access to information and we don't know for sure what they're doing with that information. Two entirely different security issues. Bryen --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Sat, 2008-03-29 at 11:41 -0500, Bryen wrote:
Unfortunately, he used a poor choice of words to lump two separate concepts together. Attacks are a higher risk coming from the outside. They tend to be random, looking for an open port somewhere.
Internally, its not an attack but more of a security control risk where individuals given certain amount of leeway or authority have access to information and we don't know for sure what they're doing with that information.
Two entirely different security issues.
Well stated, you took the word right out of my mouse ;-)) otoh, don't be to generous woth trust. A former employer had *all* their systems open with host.equiv I would suggest to have iptables up-and-running, but to generates warnings on several ports. If someone from within is trying to do funny tricks, (s)he is easily found and have to explain the purpose. people could/should be fired for such actions. hw --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2008-03-29 at 17:33 +0100, Per Jessen wrote:
Carlos E. R. wrote:
The Saturday 2008-03-29 at 15:39 +0100, Per Jessen wrote:
If you're on a LAN, you don't really need a firewall, do you?
Of course we do. The worst attacks come from inside.
Carlos, you're joking, right? I have zero attacks from the inside, but plenty from the outside. In the last week, just one of my systems had 126062 ssh attacks from 41 unique IPs.
No, I'm not joking. It is not the same type of attack, and you may not detect it as "attack". It is worst because they have internal knowledge. It is also worst because thinking that the internal network is safe makes people trusty, leaving the machines defenceless. And consider that if the internal network has thousands of computers, it is not easy to know everybody. Then, there is the other kind: some outside chap managed somehow to subvert an internal low security computer, and uses it to atack other high interest targets, from the inside. It can also be a virus: a windows machine with a virus atacking everybody in sight. Or... imagine an internal server catching a worm, and this trying to spread... There are many scenarios. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFH7oDotTMYHG2NR9URAlRjAJ9h+bSVMFbka7jtic/wveOJBDMfwACdGc9F CNG/3Qj9CVbxLoiLCiqQpB0= =lrGU -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Carlos E. R. wrote:
No, I'm not joking. It is not the same type of attack, and you may not detect it as "attack".
OK, I know what you're talking about, and in the context of securing sshd, no, I don't count it as an attack. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2008-03-30 at 14:12 +0200, Per Jessen wrote:
Carlos E. R. wrote:
No, I'm not joking. It is not the same type of attack, and you may not detect it as "attack".
OK, I know what you're talking about, and in the context of securing sshd, no, I don't count it as an attack.
My point wasn't only about sshd, but that disabling the firewall on an internal LAN is not wise, IMO, YMMV, etc. :-) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFH8M0ttTMYHG2NR9URAoYYAJoD75VJVBYLa/mgPpfd45csZ42EDgCfZNuE OEes5Pi07oskfz9K/HCFt40= =jNG2 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Sun 30 Mar 2008 03:39:11 NZDT +1300, Per Jessen wrote:
If you're on a LAN, you don't really need a firewall, do you?
You're doing my trick: post well after bedtime.
I don't use the openSUSE firewall
That's where your problem starts getting big quickly.
, but setting up a rate-check is only 3 iptables entries.
iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: ' iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT
You can't be seriously suggesting a non-tech user of opensuse employ this method. I am somewhat technically capable, but not stupid enough to roll my own iptables when SuSEfirewall2 does the trick (and with yast support and very good system integration), so the above will have to be integrated. I would like to suggest that rate limiting like the above be added to SuSEfirewall2 though and enabled by default with home-user / desktop-suitable limits. On all services which are liable to a bruteforce attack. In my earlier post suggesting the use of ssh rate limiting I was thinking of doing this by changing sshd_config. Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Sun, Mar 30, 2008 at 11:09:14AM +1300, Volker Kuhlmann wrote:
On Sun 30 Mar 2008 03:39:11 NZDT +1300, Per Jessen wrote:
If you're on a LAN, you don't really need a firewall, do you?
You're doing my trick: post well after bedtime.
I don't use the openSUSE firewall
That's where your problem starts getting big quickly.
, but setting up a rate-check is only 3 iptables entries.
iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: ' iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT
You can't be seriously suggesting a non-tech user of opensuse employ this method. I am somewhat technically capable, but not stupid enough to roll my own iptables when SuSEfirewall2 does the trick (and with yast support and very good system integration), so the above will have to be integrated.
I would like to suggest that rate limiting like the above be added to SuSEfirewall2 though and enabled by default with home-user / desktop-suitable limits. On all services which are liable to a bruteforce attack.
ratelimiting can be set in SUSEfirewall2. Default enabling it ... well, again triggers problems, because people might be fall into this trap due to legit use. CIao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Marcus Meissner wrote:
I would like to suggest that rate limiting like the above be added to SuSEfirewall2 though and enabled by default with home-user / desktop-suitable limits. On all services which are liable to a bruteforce attack.
ratelimiting can be set in SUSEfirewall2.
Default enabling it ... well, again triggers problems, because people might be fall into this trap due to legit use.
So which is best - default rate-limits against brute force attacks on an open sshd which could just conceivably cause a problem for someone who cannot remember his/her password. sshd disabled by default, preventing anyone access, regardless of whether they can remember their password or not. And all of this only takes effect when the firewall has been shutdown anyway. Purely my opinion - trying to protect people who have shut down the firewall even when exposed to an insecure environment is pointless. I am all for giving newbies a "safer ride", but to achieve that, we need a "Windows-mode" tick-box during installation. With a more palatable text of course. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Everybody is wrong and Per Jessen is right. End of discussion.
*sigh*
On Sun, Mar 30, 2008 at 2:53 PM, Per Jessen
Marcus Meissner wrote:
I would like to suggest that rate limiting like the above be added to SuSEfirewall2 though and enabled by default with home-user / desktop-suitable limits. On all services which are liable to a bruteforce attack.
ratelimiting can be set in SUSEfirewall2.
Default enabling it ... well, again triggers problems, because people might be fall into this trap due to legit use.
So which is best -
default rate-limits against brute force attacks on an open sshd which could just conceivably cause a problem for someone who cannot remember his/her password.
sshd disabled by default, preventing anyone access, regardless of whether they can remember their password or not.
And all of this only takes effect when the firewall has been shutdown anyway.
Purely my opinion - trying to protect people who have shut down the firewall even when exposed to an insecure environment is pointless.
I am all for giving newbies a "safer ride", but to achieve that, we need a "Windows-mode" tick-box during installation. With a more palatable text of course.
/Per Jessen, Zürich
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2008-03-30 at 11:09 +1300, Volker Kuhlmann wrote:
I would like to suggest that rate limiting like the above be added to SuSEfirewall2 though
Have a look at "FW_SERVICES_ACCEPT_EXT". What is not documented, though, is that the above setting has no effect if you also use "FW_SERVICES_EXT_TCP". - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD4DBQFH73l7tTMYHG2NR9URAh6IAKCVLK2rsoMXzKQNJVGMZ9m92R4qUQCXcVWO 4LPIZ+oyd1AwmtIbQpixPQ== =qbvR -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Volker Kuhlmann wrote:
On Sun 30 Mar 2008 03:39:11 NZDT +1300, Per Jessen wrote:
If you're on a LAN, you don't really need a firewall, do you?
You're doing my trick: post well after bedtime.
Hehe, you're right.
I don't use the openSUSE firewall
That's where your problem starts getting big quickly.
Not at all. I've had my own firewall setup from way before one was introduced into SUSE Linux, and I saw/see no reason why I should switch.
, but setting up a rate-check is only 3 iptables entries.
iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: ' iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT
You can't be seriously suggesting a non-tech user of opensuse employ this method. I am somewhat technically capable, but not stupid enough to roll my own iptables when SuSEfirewall2 does the trick (and with yast support and very good system integration), so the above will have to be integrated.
Yes, that is exactly what I am suggesting. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Volker Kuhlmann schreef:
On Sat 29 Mar 2008 06:10:43 NZDT +1300, Per Jessen wrote:
Erm, the same thing that is better not having any remote service opened by default? The fact that it could have a vulnerability that could lead to a successful attack?
Doesn't seem to have been much of a problem in the last few years, has it? Also, ssh only becomes vulnerable to an attack when you open the port in the firewall.
This is the case Markus wants to protect against. People turn off the firewall for their desktops because it blocks too much LAN functionality by default (mostly broadcasts about available services, at a guess). With the default setting of password-login and the weak passwords on desktops sshd becomes a BIG HOLE(TM) very quickly, and nothing to do with coding errors.
I should think to improve the firewall than first. Every firewall can be set to use a lan, just this one can not. Why don't you look at a 'real' firewall, like Nortons sygate, to see how it is done? And as i stated in an earlier mail: when i disable the firewall during the install, ssh closes. Maybe you connect the same behaviour when a firewall gets disabled at any other time, and make this visible. Try it yourself and see.
Even then there is probably still a rate-check to stop brute force attacks.
Not by default (though there should be), you'll have to go out of your way to configure that. Someone who doesn't use sshd won't be doing that.
Volker
-- Enjoy your time around, Oddball (Now or never...) Besturingssysteem: Linux 2.6.25-rc5-git2-5-default x86_64 Current user: oddball@AMD64x2-sfn1 System: openSUSE 11.0 (x86_64) Alpha3 KDE: 4.00.66 (KDE 4.0.66 >= 20080313) "release 6.1" --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Le vendredi 28 mars 2008, à 15:56 +0100, Peter Czanik a écrit :
Hello,
Per Jessen írta:
Then don't install sshd at all. Make it part of a "mostly-server" pattern which isn't selected if people select "most-desktop" mode. Well, I'm writing this from my 'mostly-desktop' machine, still I find sshd essential in my daily routine. Practical example: scp the content of /var/log/YaST2 during installation to my desktop, so I can upload logs with a bugreport. So, even if is not enabled by default, it should be easy to enable it, without going through a detailed package selection.
I don't think this use case is a good example of why sshd is important to most users of a 'mostly-desktop' machine. Do you know many people who often install their desktop and need to copy the logs from the installation to somewhere else? I use sshd daily too, but I know how to enable it if I need it. People who don't use sshd also don't know how to disable it... And I'd tend to agree that most desktop users don't need sshd. So it makes sense to me to disable it for desktop installs. Vincent -- Les gens heureux ne sont pas pressés. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Friday 28 March 2008, Vincent Untz wrote:
And I'd tend to agree that most desktop users don't need sshd. So it makes sense to me to disable it for desktop installs.
What is also important IMO is to be able to install and run sshd easily. If you are offering support to someone, sometimes there is a need to log in remotely. If sshd is not installed by default, you need to give instructions how to do it. The easier those instructions are, the better. Probably zypper install sshd rcsshd start would be the best, but it means the sshd port needs to be opened by default in the firewall. Andras -- Quanta Plus developer - http://quanta.kdewebdev.org K Desktop Environment - http://www.kde.org
What is also important IMO is to be able to install and run sshd easily. If you are offering support to someone, sometimes there is a need to log in remotely. If sshd is not installed by default, you need to give
Ppenssh rpm would still be installed by default, because the same rpm provides the ssh server and client, only thing is that the server would be turned off. Its a tiny package, only 685KB for i586. Marcio --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Peter Czanik wrote:
Hello,
Per Jessen Ãrta:
Then don't install sshd at all. Make it part of a "mostly-server" pattern which isn't selected if people select "most-desktop" mode. Well, I'm writing this from my 'mostly-desktop' machine, still I find sshd essential in my daily routine. Practical example: scp the content of /var/log/YaST2 during installation to my desktop, so I can upload logs with a bugreport. So, even if is not enabled by default, it should be easy to enable it, without going through a detailed package selection. CzP
It's very much used by me, build an app for one and scp it to the other boxes and also to allow working on any box from the one keyboard and screen. I also use it for the above mentioned bug reports. I'd like to see it kept in and to be usable with firewall enabled. Regards Sid. -- Sid Boyce ... Hamradio License G3VBV, Licensed Private Pilot Emeritus IBM/Amdahl Mainframes and Sun/Fujitsu Servers Tech Support Specialist, Cricket Coach Microsoft Windows Free Zone - Linux used for all Computing Tasks --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Marcus Meissner wrote:
Hi,
We are thinking about disabling the ssh daemon by default.
Reason is that it most desktop users do not use it all and it is just taking away memory for those, and also presenting an attack surface once the firewall is disabled.
Also its is blocked by the firewall from remote by default.
Reenabling it would be as simble as:
insserv sshd rcsshd start
We are still undecided whether to do so or not.
What about: enable for ssh / vnc / serial line install disable for local install ? Michal --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Marcus Meissner wrote:
We are thinking about disabling the ssh daemon by default. [...] Reenabling it would be as simble as:
insserv sshd rcsshd start
If there is an easier solution for reenabling it, e.g. a good visible button in YaST at installation time (!), then I don't see any arguments against. I'm using often sshd in my daily work on my workstation. Regards, Klaus. -- Klaus Singvogel - Maxfeldstr. 5 - 90409 Nuernberg - Germany Phone: +49-911-74053-0 GnuPG-Key-ID: 1024R/5068792D 1994-06-27 SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Fri, Mar 28, 2008 at 12:19 PM, Klaus Singvogel
Marcus Meissner wrote:
We are thinking about disabling the ssh daemon by default. [...]
Good idea. Just dont start ssh when the port is open in the firewall, as suggested. Some people run other stuff at port 22. Best regards Marcio --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Fri, 2008-03-28 at 16:19 +0100, Klaus Singvogel wrote:
If there is an easier solution for reenabling it, e.g. a good visible button in YaST at installation time (!), then I don't see any arguments against.
I'm using often sshd in my daily work on my workstation.
Regards, Klaus.
+1 If ssh is to be removed as "default enabled" then an easy one step install and configure option is needed in the network services section of the install. My network here relies totally on ssh for login, backups, file copy etc., both on servers and workstations. One reason for this relience on ssh was because openSUSE had it already to go. No additional packages to install, no mucking around with configurations, it was just there and worked. However I do change the default port on all machines so the firewall in my case needs to be modified anyway. But I usually do the mods to the ssh config and firewall over ssh before restarting the service and logging in again :-) Jim -- Jim Pye PyeNet Universal --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Dňa Friday 28 March 2008 16:19:28 Klaus Singvogel ste napísal:
Marcus Meissner wrote:
We are thinking about disabling the ssh daemon by default.
[...]
Reenabling it would be as simble as:
insserv sshd rcsshd start
If there is an easier solution for reenabling it, e.g. a good visible button in YaST at installation time (!), then I don't see any arguments against.
The only issue I see is I cannot see a place where the button would fit naturally. Any suggestions? Stano --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Mon, 2008-03-31 at 15:40 +0200, Stanislav Visnovsky wrote:
The only issue I see is I cannot see a place where the button would fit naturally. Any suggestions? Stano
To me it would be sensible to have the option for turning ssh on or off on the screen that allows enabling/disabling network services, things like Firewall, IPv4/IPv6, Network card configuration, VNC etc. Have not had a chance to look at 11 alphas yet so not sure what this screen looks like now. But my basic feeling is to have all the software installed/configured and the option on this screen ether turns the loading of the init script for sshd on or off as per Marcus' comment. Jim -- Jim Pye PyeNet Universal --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Tue 01 Apr 2008 02:40:15 NZDT +1300, Stanislav Visnovsky wrote:
If there is an easier solution for reenabling it, e.g. a good visible button in YaST at installation time (!), then I don't see any arguments against.
The only issue I see is I cannot see a place where the button would fit naturally. Any suggestions?
In the network config/services summary, there are underlined "links" already for en/disable ssh firewall port, ipv6 etc - add it there and set the default for ssh to disable, so one has to deliberately click on "enable". An easy way to enable it after installation by someone who we talk to over the phone would be really good too ;) Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am Dienstag 01 April 2008 schrieb Volker Kuhlmann:
On Tue 01 Apr 2008 02:40:15 NZDT +1300, Stanislav Visnovsky wrote:
If there is an easier solution for reenabling it, e.g. a good visible button in YaST at installation time (!), then I don't see any arguments against.
The only issue I see is I cannot see a place where the button would fit naturally. Any suggestions?
In the network config/services summary, there are underlined "links" already for en/disable ssh firewall port, ipv6 etc - add it there and set the default for ssh to disable, so one has to deliberately click on "enable". That page only exists in expert mode.
An easy way to enable it after installation by someone who we talk to over the phone would be really good too ;)
easy as "zypper in openssh-server"? Greetings, Stephan -- SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2008-04-01 at 14:12 +0200, Stephan Kulow wrote:
An easy way to enable it after installation by someone who we talk to over the phone would be really good too ;)
easy as "zypper in openssh-server"?
That means it would not be installed by default. It should be installed by default, but just not enabled. Otherwise, people might install telnetd, old style. And should be easy as in "click here". Command line is "chkconfig sshd on". - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFH8jNXtTMYHG2NR9URAsliAKCSY1lkhmYVsxltfQaNu6ihOt0zrwCfbjp9 JiF1Ol+73tzgs7CEiEhak5E= =WlSX -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am Dienstag 01 April 2008 schrieb Carlos E. R.:
The Tuesday 2008-04-01 at 14:12 +0200, Stephan Kulow wrote:
An easy way to enable it after installation by someone who we talk to over the phone would be really good too ;)
easy as "zypper in openssh-server"?
That means it would not be installed by default. It should be installed by default, but just not enabled. Otherwise, people might install telnetd, old style.
Well, stupid people do stupid things all day long. Why limit them? Greetings, Stephan -- SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2008-04-01 at 15:28 +0200, Stephan Kulow wrote:
That means it would not be installed by default. It should be installed by default, but just not enabled. Otherwise, people might install telnetd, old style.
Well, stupid people do stupid things all day long. Why limit them?
X'-) Hey, I learned about ssh when I noticed that telnet was no longer installed. I confess to that. Anybody else dares a "me too", or do we have to search the archives for the "where is telnet" questions? ;-) More seriously, it should be installed by default. If you are in a pinch, having to install it might be not a nuisance, but a big problem. Suppose, for instance, that the problem you need to solve for which you need to access the machine is that Yast and zypper do not work. I don't think the size of the binary is that important. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFH8kJEtTMYHG2NR9URAvkFAJ0RtyTGYVDyiu62WjS8d5IJsBuTKQCfShEd sxeL+ue+naQw0GVp1SCDwyo= =c+pL -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am Dienstag 01 April 2008 schrieb Carlos E. R.:
More seriously, it should be installed by default. If you are in a pinch, having to install it might be not a nuisance, but a big problem. Suppose, for instance, that the problem you need to solve for which you need to access the machine is that Yast and zypper do not work. rpm -ivh http://download.../openssh-server.rpm will do too.
I don't think the size of the binary is that important.
No, but a) "zypper in" is about the easiest b) we could enable server automatically by means of selecting "network admin" or "experienced user" pattern Greetings, Stephan -- SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2008-04-01 at 16:17 +0200, Stephan Kulow wrote:
Am Dienstag 01 April 2008 schrieb Carlos E. R.:
More seriously, it should be installed by default. If you are in a pinch, having to install it might be not a nuisance, but a big problem. Suppose, for instance, that the problem you need to solve for which you need to access the machine is that Yast and zypper do not work. rpm -ivh http://download.../openssh-server.rpm will do too.
Have you tried that over the phone with a dumb user? ;-)
I don't think the size of the binary is that important. No, but a) "zypper in" is about the easiest
First open a terminal... then type "su -"... and then you have a frightened user at the other side of the phone.
b) we could enable server automatically by means of selecting "network admin" or "experienced user" pattern
Mmm... :-? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFH8kcItTMYHG2NR9URAvOGAJ9tdTGCgvNfUR9Q8BRF83+kTTTiygCfcIM8 25yrXHz7KOcBw2mz4YkEqP0= =OBzp -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Stephan Kulow wrote:
Well, stupid people do stupid things all day long. Why limit them?
Exactly - which is why we should leave the sshd default startup as it is. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2008-04-02 at 01:00 +1300, Volker Kuhlmann wrote:
The only issue I see is I cannot see a place where the button would fit naturally. Any suggestions?
In the network config/services summary, there are underlined "links" already for en/disable ssh firewall port, ipv6 etc - add it there and set the default for ssh to disable, so one has to deliberately click on "enable".
Good enough.
An easy way to enable it after installation by someone who we talk to over the phone would be really good too ;)
+1 - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFH8jKmtTMYHG2NR9URAjKlAJwMJC4/CNmzh70CsEbejxbbo4Rt1gCfWlP/ vNVTtTx3MMIG8Mqw6TiJCHg= =6ibM -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Volker Kuhlmann wrote:
On Tue 01 Apr 2008 02:40:15 NZDT +1300, Stanislav Visnovsky wrote:
The only issue I see is I cannot see a place where the button would fit naturally. Any suggestions?
In the network config/services summary, there are underlined "links" already for en/disable ssh firewall port, ipv6 etc - add it there and set the default for ssh to disable, so one has to deliberately click on "enable".
+1 /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Reenabling it would be as simble as:
insserv sshd rcsshd start
We also have a YaST module. It was pretty rought in 10.3, but I know someone was working on it. Maybe it's the case to consider of installing it by default if you decide to disable SSH. Just an idea. Regards, Alberto --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Sat 29 Mar 2008 03:28:59 NZDT +1300, Marcus Meissner wrote:
We are thinking about disabling the ssh daemon by default.
Reason is that it most desktop users do not use it all and it is just taking away memory for those, and also presenting an attack surface once the firewall is disabled.
Good move. People who don't know what ssh is don't need the exposure risk. I'm not sure that saving the memory is a good argument, but why run something that isn't used. The security risk is the strongest argument.
Reenabling it would be as simble as:
And should be as simple as ticking "enable sshd" and "open port in firewall" during installation, about at the same place where "enable firewall port" is now. Even for desktops ssh is always needed for me, whether for copying files (scp, rsync) or (LAN-)remote anything. It's probably still safer to enable ssh than any of the other remote access protocols, so it should be easily available. I disagree with not installing it to save a few bytes of disk space. Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Akin to today's topic of disabling network services when not needed, I'd like to suggest to also cripple the MTA when full functionality is not explicitly needed. The local MTA should by default be listening on localhost:25 only, and not on everything:25. I also think that the local MTA by default should only accept msgs for delivery which are addressed to anyone@localhost, and reject anything addressed to the rest of the world. I tried to persuade postfix on 10.2 to do this and found that it's only possible with a bad cludge. Postfix would accept anything (from localhost) and then not be able to deal with msgs it wasn't supposed to deliver (or soemthing like that). Most email clients work directly with the ISP's (or LAN's) relay host, so a fill-fledged local MTA is not needed. At least Debian has done default installs like this for some time now (with exim though). Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2008-03-29 at 09:18 +1300, Volker Kuhlmann wrote:
Akin to today's topic of disabling network services when not needed, I'd like to suggest to also cripple the MTA when full functionality is not explicitly needed.
The local MTA should by default be listening on localhost:25 only, and not on everything:25.
I also think that the local MTA by default should only accept msgs for delivery which are addressed to anyone@localhost, and reject anything addressed to the rest of the world. I tried to persuade postfix on 10.2 to do this and found that it's only possible with a bad cludge. Postfix would accept anything (from localhost) and then not be able to deal with msgs it wasn't supposed to deliver (or soemthing like that). Most email clients work directly with the ISP's (or LAN's) relay host, so a fill-fledged local MTA is not needed. At least Debian has done default installs like this for some time now (with exim though).
I believe some mail clients expect a functional local mta. Pine, for instance. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFH7Z4ZtTMYHG2NR9URAr6vAJwMJdnJSOoQD0AbxusP6uEjXF8WFACfTmtE 9sbSam+pG807fprWp6iwFf8= =4fEO -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Sat 29 Mar 2008 14:40:38 NZDT +1300, Carlos E. R. wrote:
I believe some mail clients expect a functional local mta. Pine, for instance.
And mutt. But how many people do you know who use either of those and who would be incapable of switching the MTA from "local-only" to "full"? Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Volker Kuhlmann schrieb:
On Sat 29 Mar 2008 14:40:38 NZDT +1300, Carlos E. R. wrote:
I believe some mail clients expect a functional local mta. Pine, for instance.
And mutt. But how many people do you know who use either of those and who would be incapable of switching the MTA from "local-only" to "full"?
I'm wondering about that discussion. Postfix as it is preconfigured with openSUSE (since some versions already) is only listening on the local loopback interface if the config is not changed. grep ^inet_interfaces /etc/postfix/main.cf inet_interfaces = localhost Wolfgang --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Sat 29 Mar 2008 19:58:12 NZDT +1300, Wolfgang Rosenauer wrote:
I'm wondering about that discussion. Postfix as it is preconfigured with openSUSE (since some versions already) is only listening on the local loopback interface if the config is not changed.
Meaning it is accepting msgs for delivery only from localhost, but it will deliver them worldwide. I think the default should be that it accepts for delivery only msgs which are sent to localhost. Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2008-03-29 at 20:34 +1300, Volker Kuhlmann wrote:
On Sat 29 Mar 2008 19:58:12 NZDT +1300, Wolfgang Rosenauer wrote:
I'm wondering about that discussion. Postfix as it is preconfigured with openSUSE (since some versions already) is only listening on the local loopback interface if the config is not changed.
Meaning it is accepting msgs for delivery only from localhost, but it will deliver them worldwide. I think the default should be that it accepts for delivery only msgs which are sent to localhost.
Ok, but, is that dangerous? :-? I don't think the hack is easy, postfix is designed to send worldwide. The danger I see is that mail will be usually rejected. Or if the user is a spammer, but then the configuration will not be a problem for him - but they don't use linux, I think, or techniques like temporarily rejecting emails with try later would fail. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFH7hgHtTMYHG2NR9URAlDbAJ0QBu/YhVjMnuL++rG9WN3e6Kd7lwCeMVgb ZER0KJ0FPy8utTrYJMm1AHY= =Mhu5 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Carlos E. R. wrote:
Meaning it is accepting msgs for delivery only from localhost, but it will deliver them worldwide. I think the default should be that it accepts for delivery only msgs which are sent to localhost.
Ok, but, is that dangerous? :-?
I don't think the hack is easy, postfix is designed to send worldwide.
It's only a matter of adding a single character in master.cf. Comment out the smtp client. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2008-03-28 at 15:28 +0100, Marcus Meissner wrote:
Hi,
We are thinking about disabling the ssh daemon by default.
Reason is that it most desktop users do not use it all and it is just taking away memory for those, and also presenting an attack surface once the firewall is disabled.
Also its is blocked by the firewall from remote by default.
Reenabling it would be as simble as:
insserv sshd rcsshd start
We are still undecided whether to do so or not.
Well... it would be ok to disable, as long as you provide a "one click enable" that can be explained over the phone to someone whom you are supporting ;-) Another desktop use scenario: the desktop machine hangs, then we try logging in from a nearby desktop machine to try unlock it. Then you discover that ssh is not enabled... - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFH7aDstTMYHG2NR9URAqfKAJ42zWavJwqNoPNSgDXEX1BFdB0oYgCghF5M n2PbUbrZg1yK1Zz0p0SNQkk= =k0QX -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
I vote for: disable but installed
On Fri, Mar 28, 2008 at 4:28 PM, Marcus Meissner
Hi,
We are thinking about disabling the ssh daemon by default.
Reason is that it most desktop users do not use it all and it is just taking away memory for those, and also presenting an attack surface once the firewall is disabled.
Also its is blocked by the firewall from remote by default.
Reenabling it would be as simble as:
insserv sshd rcsshd start
We are still undecided whether to do so or not.
Ciao, Marcus -- Working, but not speaking, for the following german company: SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-- Andy http://blog.sartek.net --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am Samstag, 29. März 2008 schrieb Andras Barna:
I vote for: disable but installed
It would be much easier if we enabled it by "zypper in sshd" and it's default if installed. Greetings, Stephan --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2008-03-29 at 07:53 +0100, Stephan Kulow wrote:
Am Samstag, 29. März 2008 schrieb Andras Barna:
I vote for: disable but installed
It would be much easier if we enabled it by "zypper in sshd" and it's default if installed.
The posibility of not having it installed by default would be a pain in the backside for remote maintenance and support. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFH7h4KtTMYHG2NR9URAsyPAJ0aM8sk6Yll0LuTMRwTcdbxHXhf/ACfclVu Il6eZ6m+CV9u9KmRNHndivs= =VHaz -----END PGP SIGNATURE-----
Carlos E. R. wrote:
The Saturday 2008-03-29 at 07:53 +0100, Stephan Kulow wrote:
I vote for: disable but installed ... The posibility of not having it installed by default would be a pain in
Am Samstag, 29. März 2008 schrieb Andras Barna: the backside for remote maintenance and support.
+1 If you must disable it by default (and even after following this thread, I really can't think of a reason to do so, since the firewall defaults to On) please at least make sure it's installed, along with the client. -- Cheers Richard (MQ) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
participants (26)
-
Alberto Passalacqua
-
Andras Barna
-
Andras Mantia
-
Arvin Schnell
-
Bryen
-
Carlos E. R.
-
Ciro Iriarte
-
Dominique Leuenberger
-
Druid
-
Eberhard Moenkeberg
-
Hans Witvliet
-
Jim Pye
-
Ken Schneider
-
Klaus Singvogel
-
Marcus Meissner
-
Michal Marek
-
Oddball
-
Per Jessen
-
Peter Czanik
-
Richard (MQ)
-
Sid Boyce
-
Stanislav Visnovsky
-
Stephan Kulow
-
Vincent Untz
-
Volker Kuhlmann
-
Wolfgang Rosenauer