Hi, On Sat, 29 Mar 2008, Volker Kuhlmann wrote:
On Sat 29 Mar 2008 06:10:43 NZDT +1300, Per Jessen wrote:
Erm, the same thing that is better not having any remote service opened by default? The fact that it could have a vulnerability that could lead to a successful attack?
Doesn't seem to have been much of a problem in the last few years, has it? Also, ssh only becomes vulnerable to an attack when you open the port in the firewall.
This is the case Markus wants to protect against. People turn off the firewall for their desktops because it blocks too much LAN functionality by default (mostly broadcasts about available services, at a guess). With the default setting of password-login and the weak passwords on desktops sshd becomes a BIG HOLE(TM) very quickly, and nothing to do with coding errors.
No problem currently. "Initial state" is firewall enabled, ssh disabled. So simply to disable the firewall does not create a hole regarding ssh - it is even removing the field to click "enable ssh". Very very security aware already... My standard procedure is: 1. enable ssh 2. disable firewall and I won't miss this easy way.
Even then there is probably still a rate-check to stop brute force attacks.
Not by default (though there should be), you'll have to go out of your way to configure that. Someone who doesn't use sshd won't be doing that.
Pamshield could do it, but we have this rate-checking at the router's firewall. A good "sshd: ALL EXCEPT ..." line in /etc/hosts.deny would do it too. Viele Grüße Eberhard Mönkeberg (emoenke@gwdg.de, em@kki.org)