Arvin Schnell wrote:

On Fri, Mar 28, 2008 at 03:28:59PM +0100, Marcus Meissner wrote:

...

Hi,

We are thinking about disabling the ssh daemon by default.

Reason is that it most desktop users do not use it all and it is just taking away memory for those, and also presenting an attack surface once the firewall is disabled.

Why not combine it with the firewall setting?

IIRC there is already the option to open the SSH port in the network setup during installation so simply start sshd when the port is opened there.

+1 Users who use ssh will in general know about the firewall etc. too, others probably shouldn't have it enabled. Having said that - surely the memory footprint must be fairly small, and ssh security bugs are fairly rare ! ;-)

Or make an extra item in the network setup for SSH just like for VNC (or combine those two).

Combining them makes sense - my argument above applies here too. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Per Jessen wrote:

Richard (MQ) wrote:

...

Having said that - surely the memory footprint must be fairly small, and ssh security bugs are fairly rare ! ;-)

An open sshd behind an open firewall will be under brute force attack in about 23 milliseconds after going on-line :-)

/Per Jessen, Zürich

That's for certain. I had one occasion when I went to a relative's home armed with CD's to get his box up to date, only to find I didn't have everything with me, so on the next occasion, I enabled the ssh port on my smoothwall box so I could get to the stuff remotely. A few days later I remembered it was open and there were numerous attempts at a break in, all failed. It still has it's uses, alternatively there is openVPN which I haven't looked at in a while. The last time I just couldn't get it configured to work to a friend's box, whereas Cisco VPN client was a success for getting into our corporate systems working from home or dialling in via a private ISP from customer sites. Regards Sid. -- Sid Boyce ... Hamradio License G3VBV, Licensed Private Pilot Emeritus IBM/Amdahl Mainframes and Sun/Fujitsu Servers Tech Support Specialist, Cricket Coach Microsoft Windows Free Zone - Linux used for all Computing Tasks --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Sid Boyce wrote:

Per Jessen wrote:

...

Richard (MQ) wrote:

...

Having said that - surely the memory footprint must be fairly small, and ssh security bugs are fairly rare ! ;-)

An open sshd behind an open firewall will be under brute force attack in about 23 milliseconds after going on-line :-)

/Per Jessen, Zürich

That's for certain. I had one occasion when I went to a relative's home armed with CD's to get his box up to date, only to find I didn't have everything with me, so on the next occasion, I enabled the ssh port on my smoothwall box so I could get to the stuff remotely. A few days later I remembered it was open and there were numerous attempts at a break in, all failed. It still has it's uses, alternatively there is openVPN which I haven't looked at in a while. The last time I just couldn't get it configured to work to a friend's box, whereas Cisco VPN client was a success for getting into our corporate systems working from home or dialling in via a private ISP from customer sites. Regards Sid.

I do accept that any port open to the external internet will be bombarded by attacks, which is why we have firewalls. My feeling is that it is verging on reckless to connect a modem directly to a workstation, that's why I too run a Smoothwall box (and very impressed with it). I know of quite a few people with poorly patched MS-lumbered PCs connected directly and yes, they often have problems. I'd even suggest that this is close to being the normal situation in the world at large, though probably not for OpenSuSE users. I don't suppose there's any survey data? Maybe a better solution is to leave it installed and enabled, but catch a user disabling the local firewall in YaST and pop up a box "are you sure you know what you're doing", maybe listing the open ports at the same time. Within small LANs it can be useful to disable it completely, but in a more public environment it's plain foolish. This one will continue to run and run I'm sure! -- Cheers Richard (MQ) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Richard (MQ) schreef:

Arvin Schnell wrote:

...

On Fri, Mar 28, 2008 at 03:28:59PM +0100, Marcus Meissner wrote:

...

Hi,

We are thinking about disabling the ssh daemon by default.

Reason is that it most desktop users do not use it all and it is just taking away memory for those, and also presenting an attack surface once the firewall is disabled.

Why not combine it with the firewall setting?

IIRC there is already the option to open the SSH port in the network setup during installation so simply start sshd when the port is opened there.

+1

Users who use ssh will in general know about the firewall etc. too, others probably shouldn't have it enabled.

Having said that - surely the memory footprint must be fairly small, and ssh security bugs are fairly rare ! ;-)

...

Or make an extra item in the network setup for SSH just like for VNC (or combine those two).

Combining them makes sense - my argument above applies here too.

As i am not mistaken, this is already so. As i don't use the firewall, because my Lan is unaccessible when it is on, i turn it off when concluding the install. When i do that, ssh closes. -- Enjoy your time around, Oddball (Now or never...) Besturingssysteem: Linux 2.6.25-rc5-git2-5-default x86_64 Current user: oddball@AMD64x2-sfn1 System: openSUSE 11.0 (x86_64) Alpha3 KDE: 4.00.66 (KDE 4.0.66 >= 20080313) "release 6.1" --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Hello, Per Jessen írta:

Then don't install sshd at all. Make it part of a "mostly-server" pattern which isn't selected if people select "most-desktop" mode.

Well, I'm writing this from my 'mostly-desktop' machine, still I find sshd essential in my daily routine. Practical example: scp the content of /var/log/YaST2 during installation to my desktop, so I can upload logs with a bugreport. So, even if is not enabled by default, it should be easy to enable it, without going through a detailed package selection. CzP --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Per Jessen wrote:

Agree - but I don't see any reason for changing it at all. An unused sshd uses very little memory, and whatever it does use is very quickly swapped out.

Having thought a litle more about it, I definitely vote no - that change would have only negligible effect for desktop-only/mostly users, whereas it would only create additional work for any server-install. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Druid wrote:

Having thought a litle more about it, I definitely vote yes - that change would have only negligible effect for any server-install users, whereas it would not create additional work for desktop-only/mostly newbies with a better default setting.

What exactly is "better" about not starting sshd by default? Marcus' memory argument is a non-argument IMHO. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Druid wrote:

On Fri, Mar 28, 2008 at 1:37 PM, Per Jessen wrote:

...

Druid wrote:

...

Having thought a litle more about it, I definitely vote yes - that change would have only negligible effect for any server-install users, whereas it would not create additional work for desktop-only/mostly newbies with a better default setting.

What exactly is "better" about not starting sshd by default?

Erm, the same thing that is better not having any remote service opened by default? The fact that it could have a vulnerability that could lead to a successful attack?

Doesn't seem to have been much of a problem in the last few years, has it? Also, ssh only becomes vulnerable to an attack when you open the port in the firewall. Even then there is probably still a rate-check to stop brute force attacks.

Its pretty clear why not having a service running by default (specially those offering it to the outside world) is better than the opposite, if you dont see that possibly you just don't want to see.

If that argument was correct, we should let the user run the init-sequence manually.

Now you want to convince everyone that everybody ssh to their own boxes running sshd all the time,

No, I don't. I just don't think it's good idea to change the current setup when the change doesn't bring about an improvement.

and that this is the default usecase around the planet, just because you dont want to run "insserv sshd" once, and additionally its better to change the Earth's rotation instead of you typing those 13 keystrokes (including the enter) so you activate your sshd.

You're not listening. I'm NOT advocating any change. You're the one who wants a change. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Druid wrote:

...

...

Now you want to convince everyone that everybody ssh to their own boxes running sshd all the time,

No, I don't. I just don't think it's good idea to change the current setup when the change doesn't bring about an improvement.

It brings an improvement, it was explained more or less 9 times in this thread.

Nobody has described any _actual_ improvements. Running sshd behind the default firewall does not make the system any less secure, and it does not waste any memory when it isn't used.

And your argument for that is that openssh doesnt have bugs, which is at least naive.

Where did I say that? Marcio, you're making things up. Thanks for the discussion. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Hi, On Sat, 29 Mar 2008, Volker Kuhlmann wrote:

On Sat 29 Mar 2008 06:10:43 NZDT +1300, Per Jessen wrote:

...

...

Erm, the same thing that is better not having any remote service opened by default? The fact that it could have a vulnerability that could lead to a successful attack?

Doesn't seem to have been much of a problem in the last few years, has it? Also, ssh only becomes vulnerable to an attack when you open the port in the firewall.

This is the case Markus wants to protect against. People turn off the firewall for their desktops because it blocks too much LAN functionality by default (mostly broadcasts about available services, at a guess). With the default setting of password-login and the weak passwords on desktops sshd becomes a BIG HOLE(TM) very quickly, and nothing to do with coding errors.

No problem currently. "Initial state" is firewall enabled, ssh disabled. So simply to disable the firewall does not create a hole regarding ssh - it is even removing the field to click "enable ssh". Very very security aware already... My standard procedure is: 1. enable ssh 2. disable firewall and I won't miss this easy way.

...

Even then there is probably still a rate-check to stop brute force attacks.

Not by default (though there should be), you'll have to go out of your way to configure that. Someone who doesn't use sshd won't be doing that.

Pamshield could do it, but we have this rate-checking at the router's firewall. A good "sshd: ALL EXCEPT ..." line in /etc/hosts.deny would do it too. Viele Grüße Eberhard Mönkeberg (emoenke@gwdg.de, em@kki.org)

Volker Kuhlmann wrote:

On Sat 29 Mar 2008 06:10:43 NZDT +1300, Per Jessen wrote:

...

...

Erm, the same thing that is better not having any remote service opened by default? The fact that it could have a vulnerability that could lead to a successful attack?

Doesn't seem to have been much of a problem in the last few years, has it? Also, ssh only becomes vulnerable to an attack when you open the port in the firewall.

This is the case Markus wants to protect against. People turn off the firewall for their desktops because it blocks too much LAN functionality by default (mostly broadcasts about available services, at a guess).

If you're on a LAN, you don't really need a firewall, do you?

...

Even then there is probably still a rate-check to stop brute force attacks.

Not by default (though there should be), you'll have to go out of your way to configure that. Someone who doesn't use sshd won't be doing that.

I don't use the openSUSE firewall, but setting up a rate-check is only 3 iptables entries. iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: ' iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT This one rejects anyone with 6 login attempts within 60 seconds. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

...

If you're on a LAN, you don't really need a firewall, do you?

and an open sshd isn't really a risk on a LAN.

Hi, Thanks for your multiple inputs, but please have two things in mind: 1) Your personal experience is not exactly the common case, in which we should focus. Understand that. Try to think outside of your universe. What people want here is the common case, what would be best for the majority of the users, specially those with less linux knowledge. 2) You dont have enough imagination to think of different usecases, thats why you come saying anything is not a problem, its because you cant see the problem, its not because the problem isnt there. I will, once again, show a use case for a problem you say supposedly doesnt exist. You are in a public hotspot and then you are in a lan and another laptop could bruteforce the ssh. There you have it, a lan in which you dont trust the other peers. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Ciro Iriarte wrote:

General case (given you are considering disabling sshd, not my choice): Disable it by default BUT add an option to enable it DURING installation, that way all the security hooligans will be happy, server admins will require a quick extra step and newbies will leave everything as default (as usually).

That plus the sensible default of always leaving it active when the install was done remotely. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Please, do you really find it necessary to be so condescending?

Wrt understanding, I would suggest you try to understand that _you_ do not define what _we_ should focus on.

It is necessary, because you are avoiding that like a cat avoids water. Half of the emails in this thread are oppinions, which Marcus asked, the other are your emails stating wrong stuff.

...

What people want here is the common case, what would be best for the majority of the users, specially those with less linux knowledge.

Who says that? (apart from yourself).

If Marcus asked the people's oppinion about sshd being disabled by *default*, I think its pretty clear that the DEFAULT is what works for most people, and usually the DEFAULT goal is to make it better and more secure for everyone, specially those who have less linux knowledge.

...

2) You dont have enough imagination to think of different usecases, thats why you come saying anything is not a problem, its because you cant see the problem, its not because the problem isnt there.

Please don't tell what I do and do not have and can and cannot see. It's none of your business.

Sorry, I have to, you are repeatedly stating wrong information to justify your statements, and that can be misleading. Wish there was a better way... Since you will probably ask, let me put some of your wrong assumptions in here so I dont need to give another reply: - Saying there is no problem with ssh on lan, because a LAN is secure - Saying you dont need a firewall in a LAN - Saying there is no problem with sshd running because sshd is secure - Ignoring that an sshd attack doesnt need a security hole, could be ddos or brute force - Assuming there is no problem with sshd running because there will be a firewall - Ignoring its good practice to have external services enabled as a minimum - Stating that its better a newbie user to (potentially) deal with security by disabling sshd, instead of letting him not worry about and a server admin worry about enabling it if he needs to I just saw you sent a new email, so I will add another reason: - You're blaming a newbie because he doesnt know security. He is a NEWBIE, of course he doesnt know security. Thats why people desiging their stuff should think of a secure default. And just so you dont say its a random attack, I will, yet another n-th time, give a use case on why a firewall would be disable by a newbie by accident or naivety: - A newbie wants to play a game or share files with a friend in a notebook. Its well known that samba, zeroconf and some nfs setups are very firewall unfriendly, not to mention a user using network manager could have trouble while switching from a network to another (for example, at home he wants to share with a windows pc, so he disable the firewall, and then he goes to work, in a bad lan). Why blaming a newbie for being a newbie? Regards Marcio --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Druid wrote:

I will, once again, show a use case for a problem you say supposedly doesnt exist. You are in a public hotspot and then you are in a lan and another laptop could bruteforce the ssh. There you have it, a lan in which you dont trust the other peers.

I apologise for leaving out the word "trusted" in my earlier posting about not needing a firewall when you're on a LAN. Obviously, if your computer is connected to any kind of _untrusted_ network, you should be running a firewall. We are talking about a problem that _only_ becomes a problem after the user has _disabled_ the firewall. If you're brave or stupid enough to do that when your machine is connected to an untrusted network, you're beyond help. IMHO. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

On Sun, Mar 30, 2008 at 03:48:21PM +0200, Hans Witvliet wrote:

Personnally i keep sshd running, but otoh, for newby-users, like Marcus suggested, have installed, but turned off, (other daemons like telnet or ftp are not running by default either)

Another suggestion, for default sshd config 1) only enable ssh2 protocol, now both ssh1 and ssh2 are enabled. Protocol Specifies the protocol versions sshd supports. ==> The default is “2,1”. <==

This is already done for 10.3 and newer ... They only have 2 as default.

2) disable PasswordAuthentication Specifies whether password authentication is allowed. ==> The default is “yes”. <==

If you need remote access to a system, take the time to distribute a lengthy asymetric key (longer than the default), protected by long enough pass-phrase

This is not really userfriendly, so I do not think we will do this.

3) disable root access. PermitRootLogin Specifies whether root can log in using ssh ==> The default is “yes”. <== Horrible!!

This would be an idea.

4) restrict access with "AllowUsers" This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. ==> By default, login is allowed for all users. <==

Not userfriendly either.

Suggestion 1 & 3 should have little or no impact. 2) would only cause some seconds extra work for admin's...

I will bring up the "PermitRootLogin: false" idea. Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

On Sun, 2008-03-30 at 22:24 -0400, Ciro Iriarte wrote:

...

...

2) disable PasswordAuthentication Specifies whether password authentication is allowed. ==> The default is "yes". <==

...

If you need remote access to a system, take the time to distribute a lengthy asymetric key (longer than the default), protected by long enough pass-phrase

This is not really userfriendly, so I do not think we will do this.

I use a private key, but I second this..

Perhaps at present.... Maybe in the future, a nice and safe pair of keys can be generated automagically when creating user-accounts....

...

...

3) disable root access. PermitRootLogin Specifies whether root can log in using ssh ==> The default is "yes". <== Horrible!!

This would be an idea.

That would be annoying, I have some servers were I don't have regular users or LDAP authentication (not all of them need to in our datacenter) and with this disabled I still would need to pull a serial console from somewhere to change this and have access to the headless server even though the sshd is up and running after installation (remote installation case)

Why annoying? It only implied that for *remote* logins, you have to use a oridinary user-account, and then do a "su -" or a "sudo" Anyway, it was a suggestion for the _default_ config, People like you, who know what you're doing, can change it easily anyway they want.

...

...

4) restrict access with "AllowUsers" This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. ==> By default, login is allowed for all users. <==

Not userfriendly either.

Agreed. Easy access to remote (not local) systems and security are at opposite sides of the spectrum.

hw --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

...

...

On Tue, Apr 1, 2008 at 4:45 AM, "Ciro Iriarte" wrote: If you have to move hardware around just to change a line in the ssh configuration, it is annoying.

Regarding the regular user, as I stated before, not all servers need regular users, think about a cyrus imap black-box server... I'm just giving my impressions...

What stops you from having your own corp wide admin user in this case? and I'd suggest to name it somewhat non trivial already. root is most likely one of the most tried login attempts to my ssh daemon. so even though I need root right, I would never ever allow it to log in directly via SSH. call me paranoid, but I prefer somebody hacking in a dummy user account and then having to break a su password in plus. And the log file of failed login attempts shows me it's not the worst to do... why have them 'only' guess the password, if I can have them guess user AND password combinations? An alternative of course would be to rename root. Dominique --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Ciro Iriarte wrote:

Regarding the regular user, as I stated before, not all servers need regular users, think about a cyrus imap black-box server... I'm just giving my impressions...

But if policy was "no root logins via ssh", all servers _would_ need a regular user login. Having a regular user account vs. having ssh open for root login sounds quite a bit safer to me, from a probabily pov. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Per Jessen pecked at the keyboard and wrote:

Volker Kuhlmann wrote:

...

On Sat 29 Mar 2008 06:10:43 NZDT +1300, Per Jessen wrote:

...

...

Erm, the same thing that is better not having any remote service opened by default? The fact that it could have a vulnerability that could lead to a successful attack? Doesn't seem to have been much of a problem in the last few years, has it? Also, ssh only becomes vulnerable to an attack when you open the port in the firewall. This is the case Markus wants to protect against. People turn off the firewall for their desktops because it blocks too much LAN functionality by default (mostly broadcasts about available services, at a guess).

If you're on a LAN, you don't really need a firewall, do you?

Not as long as your LAN is behind a reliable firewall and you trust the others on your LAN. -- Ken Schneider SuSe since Version 5.2, June 1998 --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Carlos E. R. wrote:

The Saturday 2008-03-29 at 15:39 +0100, Per Jessen wrote:

...

If you're on a LAN, you don't really need a firewall, do you?

Of course we do. The worst attacks come from inside.

Carlos, you're joking, right? I have zero attacks from the inside, but plenty from the outside. In the last week, just one of my systems had 126062 ssh attacks from 41 unique IPs. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

On Sat, 2008-03-29 at 11:41 -0500, Bryen wrote:

Unfortunately, he used a poor choice of words to lump two separate concepts together. Attacks are a higher risk coming from the outside. They tend to be random, looking for an open port somewhere.

Internally, its not an attack but more of a security control risk where individuals given certain amount of leeway or authority have access to information and we don't know for sure what they're doing with that information.

Two entirely different security issues.

Well stated, you took the word right out of my mouse ;-)) otoh, don't be to generous woth trust. A former employer had *all* their systems open with host.equiv I would suggest to have iptables up-and-running, but to generates warnings on several ports. If someone from within is trying to do funny tricks, (s)he is easily found and have to explain the purpose. people could/should be fired for such actions. hw --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Carlos E. R. wrote:

No, I'm not joking. It is not the same type of attack, and you may not detect it as "attack".

OK, I know what you're talking about, and in the context of securing sshd, no, I don't count it as an attack. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

On Sun 30 Mar 2008 03:39:11 NZDT +1300, Per Jessen wrote:

If you're on a LAN, you don't really need a firewall, do you?

You're doing my trick: post well after bedtime.

I don't use the openSUSE firewall

That's where your problem starts getting big quickly.

, but setting up a rate-check is only 3 iptables entries.

iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: ' iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT

You can't be seriously suggesting a non-tech user of opensuse employ this method. I am somewhat technically capable, but not stupid enough to roll my own iptables when SuSEfirewall2 does the trick (and with yast support and very good system integration), so the above will have to be integrated. I would like to suggest that rate limiting like the above be added to SuSEfirewall2 though and enabled by default with home-user / desktop-suitable limits. On all services which are liable to a bruteforce attack. In my earlier post suggesting the use of ssh rate limiting I was thinking of doing this by changing sshd_config. Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Marcus Meissner wrote:

...

I would like to suggest that rate limiting like the above be added to SuSEfirewall2 though and enabled by default with home-user / desktop-suitable limits. On all services which are liable to a bruteforce attack.

ratelimiting can be set in SUSEfirewall2.

Default enabling it ... well, again triggers problems, because people might be fall into this trap due to legit use.

So which is best - default rate-limits against brute force attacks on an open sshd which could just conceivably cause a problem for someone who cannot remember his/her password. sshd disabled by default, preventing anyone access, regardless of whether they can remember their password or not. And all of this only takes effect when the firewall has been shutdown anyway. Purely my opinion - trying to protect people who have shut down the firewall even when exposed to an insecure environment is pointless. I am all for giving newbies a "safer ride", but to achieve that, we need a "Windows-mode" tick-box during installation. With a more palatable text of course. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2008-03-30 at 11:09 +1300, Volker Kuhlmann wrote:

I would like to suggest that rate limiting like the above be added to SuSEfirewall2 though

Have a look at "FW_SERVICES_ACCEPT_EXT". What is not documented, though, is that the above setting has no effect if you also use "FW_SERVICES_EXT_TCP". - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD4DBQFH73l7tTMYHG2NR9URAh6IAKCVLK2rsoMXzKQNJVGMZ9m92R4qUQCXcVWO 4LPIZ+oyd1AwmtIbQpixPQ== =qbvR -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Volker Kuhlmann schreef:

On Sat 29 Mar 2008 06:10:43 NZDT +1300, Per Jessen wrote:

...

...

Erm, the same thing that is better not having any remote service opened by default? The fact that it could have a vulnerability that could lead to a successful attack?

Doesn't seem to have been much of a problem in the last few years, has it? Also, ssh only becomes vulnerable to an attack when you open the port in the firewall.

This is the case Markus wants to protect against. People turn off the firewall for their desktops because it blocks too much LAN functionality by default (mostly broadcasts about available services, at a guess). With the default setting of password-login and the weak passwords on desktops sshd becomes a BIG HOLE(TM) very quickly, and nothing to do with coding errors.

I should think to improve the firewall than first. Every firewall can be set to use a lan, just this one can not. Why don't you look at a 'real' firewall, like Nortons sygate, to see how it is done? And as i stated in an earlier mail: when i disable the firewall during the install, ssh closes. Maybe you connect the same behaviour when a firewall gets disabled at any other time, and make this visible. Try it yourself and see.

...

Even then there is probably still a rate-check to stop brute force attacks.

Not by default (though there should be), you'll have to go out of your way to configure that. Someone who doesn't use sshd won't be doing that.

Volker

-- Enjoy your time around, Oddball (Now or never...) Besturingssysteem: Linux 2.6.25-rc5-git2-5-default x86_64 Current user: oddball@AMD64x2-sfn1 System: openSUSE 11.0 (x86_64) Alpha3 KDE: 4.00.66 (KDE 4.0.66 >= 20080313) "release 6.1" --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

On Friday 28 March 2008, Vincent Untz wrote:

And I'd tend to agree that most desktop users don't need sshd. So it makes sense to me to disable it for desktop installs.

What is also important IMO is to be able to install and run sshd easily. If you are offering support to someone, sometimes there is a need to log in remotely. If sshd is not installed by default, you need to give instructions how to do it. The easier those instructions are, the better. Probably zypper install sshd rcsshd start would be the best, but it means the sshd port needs to be opened by default in the firewall. Andras -- Quanta Plus developer - http://quanta.kdewebdev.org K Desktop Environment - http://www.kde.org

Peter Czanik wrote:

Hello,

Per Jessen írta:

...

Then don't install sshd at all. Make it part of a "mostly-server" pattern which isn't selected if people select "most-desktop" mode. Well, I'm writing this from my 'mostly-desktop' machine, still I find sshd essential in my daily routine. Practical example: scp the content of /var/log/YaST2 during installation to my desktop, so I can upload logs with a bugreport. So, even if is not enabled by default, it should be easy to enable it, without going through a detailed package selection. CzP

---

It's very much used by me, build an app for one and scp it to the other boxes and also to allow working on any box from the one keyboard and screen. I also use it for the above mentioned bug reports. I'd like to see it kept in and to be usable with firewall enabled. Regards Sid. -- Sid Boyce ... Hamradio License G3VBV, Licensed Private Pilot Emeritus IBM/Amdahl Mainframes and Sun/Fujitsu Servers Tech Support Specialist, Cricket Coach Microsoft Windows Free Zone - Linux used for all Computing Tasks --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

On Fri, 2008-03-28 at 16:19 +0100, Klaus Singvogel wrote:

If there is an easier solution for reenabling it, e.g. a good visible button in YaST at installation time (!), then I don't see any arguments against.

I'm using often sshd in my daily work on my workstation.

Regards, Klaus.

+1 If ssh is to be removed as "default enabled" then an easy one step install and configure option is needed in the network services section of the install. My network here relies totally on ssh for login, backups, file copy etc., both on servers and workstations. One reason for this relience on ssh was because openSUSE had it already to go. No additional packages to install, no mucking around with configurations, it was just there and worked. However I do change the default port on all machines so the firewall in my case needs to be modified anyway. But I usually do the mods to the ssh config and firewall over ssh before restarting the service and logging in again :-) Jim -- Jim Pye PyeNet Universal --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

On Mon, 2008-03-31 at 15:40 +0200, Stanislav Visnovsky wrote:

The only issue I see is I cannot see a place where the button would fit naturally. Any suggestions? Stano

To me it would be sensible to have the option for turning ssh on or off on the screen that allows enabling/disabling network services, things like Firewall, IPv4/IPv6, Network card configuration, VNC etc. Have not had a chance to look at 11 alphas yet so not sure what this screen looks like now. But my basic feeling is to have all the software installed/configured and the option on this screen ether turns the loading of the init script for sshd on or off as per Marcus' comment. Jim -- Jim Pye PyeNet Universal --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Am Dienstag 01 April 2008 schrieb Volker Kuhlmann:

On Tue 01 Apr 2008 02:40:15 NZDT +1300, Stanislav Visnovsky wrote:

...

...

If there is an easier solution for reenabling it, e.g. a good visible button in YaST at installation time (!), then I don't see any arguments against.

The only issue I see is I cannot see a place where the button would fit naturally. Any suggestions?

In the network config/services summary, there are underlined "links" already for en/disable ssh firewall port, ipv6 etc - add it there and set the default for ssh to disable, so one has to deliberately click on "enable". That page only exists in expert mode.

An easy way to enable it after installation by someone who we talk to over the phone would be really good too ;)

easy as "zypper in openssh-server"? Greetings, Stephan -- SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Am Dienstag 01 April 2008 schrieb Carlos E. R.:

The Tuesday 2008-04-01 at 14:12 +0200, Stephan Kulow wrote:

...

...

An easy way to enable it after installation by someone who we talk to over the phone would be really good too ;)

easy as "zypper in openssh-server"?

That means it would not be installed by default. It should be installed by default, but just not enabled. Otherwise, people might install telnetd, old style.

Well, stupid people do stupid things all day long. Why limit them? Greetings, Stephan -- SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Am Dienstag 01 April 2008 schrieb Carlos E. R.:

More seriously, it should be installed by default. If you are in a pinch, having to install it might be not a nuisance, but a big problem. Suppose, for instance, that the problem you need to solve for which you need to access the machine is that Yast and zypper do not work. rpm -ivh http://download.../openssh-server.rpm will do too.

I don't think the size of the binary is that important.

No, but a) "zypper in" is about the easiest b) we could enable server automatically by means of selecting "network admin" or "experienced user" pattern Greetings, Stephan -- SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Stephan Kulow wrote:

Well, stupid people do stupid things all day long. Why limit them?

Exactly - which is why we should leave the sshd default startup as it is. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Volker Kuhlmann wrote:

On Tue 01 Apr 2008 02:40:15 NZDT +1300, Stanislav Visnovsky wrote:

...

The only issue I see is I cannot see a place where the button would fit naturally. Any suggestions?

In the network config/services summary, there are underlined "links" already for en/disable ssh firewall port, ipv6 etc - add it there and set the default for ssh to disable, so one has to deliberately click on "enable".

+1 /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2008-03-29 at 09:18 +1300, Volker Kuhlmann wrote:

Akin to today's topic of disabling network services when not needed, I'd like to suggest to also cripple the MTA when full functionality is not explicitly needed.

The local MTA should by default be listening on localhost:25 only, and not on everything:25.

I also think that the local MTA by default should only accept msgs for delivery which are addressed to anyone@localhost, and reject anything addressed to the rest of the world. I tried to persuade postfix on 10.2 to do this and found that it's only possible with a bad cludge. Postfix would accept anything (from localhost) and then not be able to deal with msgs it wasn't supposed to deliver (or soemthing like that). Most email clients work directly with the ISP's (or LAN's) relay host, so a fill-fledged local MTA is not needed. At least Debian has done default installs like this for some time now (with exim though).

I believe some mail clients expect a functional local mta. Pine, for instance. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFH7Z4ZtTMYHG2NR9URAr6vAJwMJdnJSOoQD0AbxusP6uEjXF8WFACfTmtE 9sbSam+pG807fprWp6iwFf8= =4fEO -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Volker Kuhlmann schrieb:

On Sat 29 Mar 2008 14:40:38 NZDT +1300, Carlos E. R. wrote:

...

I believe some mail clients expect a functional local mta. Pine, for instance.

And mutt. But how many people do you know who use either of those and who would be incapable of switching the MTA from "local-only" to "full"?

I'm wondering about that discussion. Postfix as it is preconfigured with openSUSE (since some versions already) is only listening on the local loopback interface if the config is not changed. grep ^inet_interfaces /etc/postfix/main.cf inet_interfaces = localhost Wolfgang --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2008-03-29 at 20:34 +1300, Volker Kuhlmann wrote:

On Sat 29 Mar 2008 19:58:12 NZDT +1300, Wolfgang Rosenauer wrote:

...

I'm wondering about that discussion. Postfix as it is preconfigured with openSUSE (since some versions already) is only listening on the local loopback interface if the config is not changed.

Meaning it is accepting msgs for delivery only from localhost, but it will deliver them worldwide. I think the default should be that it accepts for delivery only msgs which are sent to localhost.

Ok, but, is that dangerous? :-? I don't think the hack is easy, postfix is designed to send worldwide. The danger I see is that mail will be usually rejected. Or if the user is a spammer, but then the configuration will not be a problem for him - but they don't use linux, I think, or techniques like temporarily rejecting emails with try later would fail. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFH7hgHtTMYHG2NR9URAlDbAJ0QBu/YhVjMnuL++rG9WN3e6Kd7lwCeMVgb ZER0KJ0FPy8utTrYJMm1AHY= =Mhu5 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Am Samstag, 29. März 2008 schrieb Andras Barna:

I vote for: disable but installed

It would be much easier if we enabled it by "zypper in sshd" and it's default if installed. Greetings, Stephan --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Carlos E. R. wrote:

The Saturday 2008-03-29 at 07:53 +0100, Stephan Kulow wrote:

...

...

I vote for: disable but installed ... The posibility of not having it installed by default would be a pain in

Am Samstag, 29. März 2008 schrieb Andras Barna: the backside for remote maintenance and support.

+1 If you must disable it by default (and even after following this thread, I really can't think of a reason to do so, since the firewall defaults to On) please at least make sure it's installed, along with the client. -- Cheers Richard (MQ) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org