New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Securing WSL - How to have basic security for WSL? #1538
Comments
Right now it is insecure by design due to interop. All users are "really" root users. |
@fpqc -- well, what's your threat model? All users may be root users, but root is not a Windows Administrator. |
@aseering True, but my threat model is a Linux instance acting as a persistent server as Benosika seems to be indicating. Edit: Oh, misread. He wants to do the opposite of that. @Benosika You should be good as long as you aren't running servers. I leave tmux up 24/7 and don't install crap from scripts. It's firewalled by Windows, so should be safe anyhow I think. |
Would you agree that OpenSSh server isn't included in the servers you meant to? |
@dmex That's actually not correct. Pico processes are affected by firewall rules, and additionally in Creators Update, the name query API returns the name for WSL processes. |
@ionescu007 reference for this? how do you create windows firewall rules for pico processes? |
What about securing an OpenSSH server? I need one on WSL to transfer files easy and fast from my VPS --- To the local session (WSL). Any tips? |
@Benosika -- can you use the ssh server built into your VPS? |
Yes. |
I do wonder what a WSL user that has an OpenSSH-server and uses only a password (without key pairs) could do to reduce the chance for Burte force attack, if it can't install firewalls (something which as of the moment, generally isn't possible in WSL). @aseering |
As discussed on another ticket, I wonder if DenyHosts works? |
If I install it in WSL, I would prefer to install it only from the repo. Given that Fail2ban on the other hand, is being installed without errors, I might configure it this way instead:
Your opinion on this will be most helpful! |
@Benosika
Windows automatically installs an SSH server when you enable the Developer mode option in the Win10 Settings app. Have you tried connecting to the machine and running bash.exe?
The SSH server uses local Windows accounts and generates logon/logoff audits and other events in the Event log. The main problem with the default SSH server on Win10 (security wise) seems to be that each connection to the ssh server creates a new process and it doesn't limit the number of connections. |
@dmex , right after I've enabled the developer tools I installed WSL and there I had an existing OpenSSH server. Does it say that I now have 2 OpenSSH servers on my Windows10? One of Windows itself and one of WSL? |
@Benosika -- denyhosts is in Ubuntu's "universe" repository; you'll have to make sure that it is enabled in |
fail2ban might work too, though. I'd say give it a try. That configuration looks right to me, though I haven't configured fail2ban recently so I'm not an expert. Also, don't forget to start it manually -- just like ssh itself, denyhosts or fail2ban won't be started automatically by Windows. |
Thanks for the discussion. |
I typed in Google "How to secure WSL" (without quote marks) and found no "general-audience-friendly" article that gives some tips about basic security setups for WSL.
I personally want to use WSL to manage my SSH connections, and consider using WSL-OpenSSH instead of Puttygen-Pageant-Putty.
I wondered how should I secure a basic WSL installment (basically just WSL and OpenSSH and some totally-local utilites like Tree or Zip --- No Webserver, no databases).
I encourage people to create a short, accessible article on this in a blog... Would gladly read it.
The text was updated successfully, but these errors were encountered: