Default Fedora installation suffers from egregious configuration flaw
Joe McManus
joe at robonza.com
Thu May 19 17:59:46 UTC 2011
The default Fedora 14 includes a rule to except all multicast dns:
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 state NEW
udp dpt:5353
-Joe
On Thu, May 19, 2011 at 1:49 PM, Kevin Fenzi <kevin at scrye.com> wrote:
> On Thu, 19 May 2011 13:40:47 -0400
> aragonx at dcsnow.com wrote:
>
>> Isn't that only part of the
>> solution? Why would we ever need to have PermitRootLogin to
>> true? My memory is a little rusty but I'm pretty sure the install
>> forces the creation of a user account.
>
> No, it does at firstboot.
>
> If you install a headless machine, you have no way to make a user
> without logging in as root and making one.
>
>> I've never done a
>> headless install so I know nothing about how that works. However, we
>> shouldn't let a minority of installations compromise the security of
>> the majority. As someone has already pointed out, can't they have a
>> different spin to allow whatever they might need?
>
> I think there are solutions to this, but they should be worked with the
> anaconda folks, rather than here. ;)
>
>> Are there any
>> other services that are listening by default and allowed through the
>> firewall? I believe there should be none of either. However, I
>> have been called paranoid in the past. :)
>
> Nope. Not on a default install anymore I don't think...
>
> kevin
>
> --
> security mailing list
> security at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/security
>
More information about the security
mailing list