What is SSH used for on FOG server?
-
I noticed that FOG is installing openssh-server. I might be wrong, but from what I tested this is also allowing remote SSH connections to the server. I was able to successfully log in as root/super user via SSH. Since I don’t really plan to remotely administer the server, I was wondering if it’s ok to block this port? I don’t know what FOG uses it for though.
Looking at https://wiki.fogproject.org/wiki/index.php/FOG_security, SSH and port 22 are not shown as needing to be open.
-
@fogcloud ssh in 1.5.10 and earlier isn’t required for anything but it will be required for 1.6.
After such a long time of using ftp I made a switch to prefer using ssh instead as it is generally more secure and can eventually (hopefully) be extended to allow Pki authentication which we cannot do for ftp based things. Plus it gives us much more utility than ftp provides.
I know you weren’t looking for a book on this all.
TLDR, no it’s not “required” but is effectively a default standard in dang near all operating systems now. It shouldn’t hurt anything, for now. In the future it absolutely will.
PS If you are worried of subnets gaining access to your fog server, use a firewall to block those subnets. I would highly recommend not blocking the specific port for ssh.
-
@fogcloud FWIW fog shouldn’t use ssh for imaging. It uses ftp, nfs, http/https for imaging. I think there is another protocol but I can’t remember off the top of my head, but its not ssh.
If you are concerned about ssh being open you can either enable a firewall on the fog server or move the ssh port to some other random place so the fog server is still accessible if needed via ssh.
If you are concerend about security you could also install fail2ban to block repeated attempts to remotely log into your fog server.
-
@fogcloud Do you have a specific concern about having ssh enabled on the fog server? Are you trying to meet some kind of compliance certification?
-
How would you update FOG without ssh? Are you using the terminal via a hypervisor? Are you plugging a monitor, keyboard, and mouse into a physical server?
Also if you needed to fix something, very likely all the help you would find in the forums will involve some kind of shell commands.
-
@fogcloud ssh in 1.5.10 and earlier isn’t required for anything but it will be required for 1.6.
After such a long time of using ftp I made a switch to prefer using ssh instead as it is generally more secure and can eventually (hopefully) be extended to allow Pki authentication which we cannot do for ftp based things. Plus it gives us much more utility than ftp provides.
I know you weren’t looking for a book on this all.
TLDR, no it’s not “required” but is effectively a default standard in dang near all operating systems now. It shouldn’t hurt anything, for now. In the future it absolutely will.
PS If you are worried of subnets gaining access to your fog server, use a firewall to block those subnets. I would highly recommend not blocking the specific port for ssh.
-
Thank you! My question has been answered. The server is connected to a KVM and is only a few steps away from where I work. I’m just following the general rule of only allowing what is necessary and since SSH isn’t necessary (yet), I’ll keep it blocked.
-
[[undefined-on, F fogcloud, ]]
