Deny All Allow Specifically

An appropriate policy while configuring the services on a node is to generally deny everything and only allow what's specifically needed. For example, OpenSSH has configuration options for users that are allowed to log in. Table A-1 shows some of the configuration options that can be applied to sshd_config. The settings cover the following decisions:

• Is anyone allowed to log in with an empty password?

• Is anyone allowed to log in with passwords at all?

• Are only certain users or groups allowed to log in?

If only public key authentication is used, why not disable password authentication completely in the services configuration? If only certain users need SSH access to a node, why not specifically only allow them in the service configuration? In a best practices setup, such considerations should be made and applied to the services configuration.

Of course the deny all, allow specifically policy does not apply to node configuration alone—it's also a very important part of firewall and other configuration tasks.

The opposite of deny all, allow specifically is allow all, deny specifically. This configuration method is also used, but it's not recommended since it always involves the risk of accidentally forgetting to deny something that might be unwanted.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook

Post a comment