Default Fedora installation suffers from egregious configuration flaw

Thu May 19 17:02:32 UTC 2011

+1 vote for the solution you recommended, Vincent.


----- Original Message ----
> From: Vincent Danen <vdanen at redhat.com>
> To: Kevin Fenzi <kevin at scrye.com>
> Cc: security at lists.fedoraproject.org
> Sent: Thu, May 19, 2011 11:08:06 AM
> Subject: Re: Default Fedora installation suffers from egregious configuration 
>flaw
> 
> * [2011-05-19 07:18:38 -0600] Kevin Fenzi wrote:
> 
> >On Wed, 18 May 2011  17:35:38 -0700
> >dirk cummings <sexynaya2010 at hotmail.com>  wrote:
> >
> >>
> >> On a default install of Fedora 14, and  also the latest release
> >> candidate for 15, the user is presented  with:
> >>
> >> An iptables rule that opens port 22 to the  worldsshd service
> >> automatically startedsshd_config with default  option: PermitRootLogin
> >> yes It's like every new install comes with  the keys to the castle
> >> hanging on outside of the door for anyone who  comes knocking.
> >>
> >> I find this situation a serious  oversight in light of the fact that
> >> Fedora obviously values security  (like selinux, or how the installer
> >> forces a minimum password  length, etc)
> >>
> >> Any experienced linux user will know to  check iptables and disable
> >> unnecessary services, but I wouldn't  expect this from a new linux
> >> user (exactly the people the refreshed  GNOME experience is supposed
> >> to attract).  I think the default  configuration should be in the name
> >> of security, and sshd should not  be listening on a default port with
> >> an open rule with root login  enabled.
> >
> >The reason for this has been headless installs. Ie, if  you install via
> >vnc or the like, and finish the install and reboot and  don't have
> >access to the physical console, ssh is your only way to access  the
> >newly installed machine and setup accounts, etc.
> >
> >If  someone can come up with a solution that covers this case, we  could
> >revisit this, but it's not an case thats easy to fix in any kind  of
> >clean way. ;(
> >
> >If it's brute force attacks that are the  vector of concern, perhaps we
> >could look at a default hashlimit rule in  front of the ssh. (ie, 1
> >attempt per minute or the like).
> 
> Or  simply have a page asking the user whether or not to enable ssh?   I
> can't recall off the top of my head, but I believe there is a  screen
> where you ask if you want the firewall enabled, right?  Why not  have a
> very obvious checkbox: "[ ] Enable ssh at boot" and if the user  checks
> it off, set the firewall to allow ssh and turn ssh on.  If the  user does
> _not_ check it off (aka they are sitting back and saying "what is  this
> ssh thing they speak of?") then have the firewall block port 22  and
> chkconfig ssh off.
> 
> It's not difficult.  Those who need ssh  will know what it is and will
> turn it on.  Those who don't (probably the  majority) will leave it off
> and be protected.
> 
> I think that would cover  all areas of concern without
> unnecessary/needless rate-limiting or changing  sshd_config, etc.  And
> it's one more UI element during install (and  presumably something that
> could set in a kickstart file as well as a  result).
> 
> -- 
> Vincent Danen / Red Hat Security Response Team 
> --
> security mailing list
> security at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/security
>