<font color="#000099"><font size="2"><font face="tahoma,sans-serif">Simple, almost obvious, easy to implement solution. Love it.<br clear="all"></font></font></font><font color="#999999"><div><br></div></font><br><div class="gmail_quote">
On Thu, May 19, 2011 at 10:08 AM, Vincent Danen <span dir="ltr"><<a href="mailto:vdanen@redhat.com">vdanen@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div><div></div><div class="h5">* [2011-05-19 07:18:38 -0600] Kevin Fenzi wrote:<br>
<br>
>On Wed, 18 May 2011 17:35:38 -0700<br>
>dirk cummings <<a href="mailto:sexynaya2010@hotmail.com">sexynaya2010@hotmail.com</a>> wrote:<br>
><br>
>><br>
>> On a default install of Fedora 14, and also the latest release<br>
>> candidate for 15, the user is presented with:<br>
>><br>
>> An iptables rule that opens port 22 to the worldsshd service<br>
>> automatically startedsshd_config with default option: PermitRootLogin<br>
>> yes It's like every new install comes with the keys to the castle<br>
>> hanging on outside of the door for anyone who comes knocking.<br>
>><br>
>> I find this situation a serious oversight in light of the fact that<br>
>> Fedora obviously values security (like selinux, or how the installer<br>
>> forces a minimum password length, etc)<br>
>><br>
>> Any experienced linux user will know to check iptables and disable<br>
>> unnecessary services, but I wouldn't expect this from a new linux<br>
>> user (exactly the people the refreshed GNOME experience is supposed<br>
>> to attract). I think the default configuration should be in the name<br>
>> of security, and sshd should not be listening on a default port with<br>
>> an open rule with root login enabled.<br>
><br>
>The reason for this has been headless installs. Ie, if you install via<br>
>vnc or the like, and finish the install and reboot and don't have<br>
>access to the physical console, ssh is your only way to access the<br>
>newly installed machine and setup accounts, etc.<br>
><br>
>If someone can come up with a solution that covers this case, we could<br>
>revisit this, but it's not an case thats easy to fix in any kind of<br>
>clean way. ;(<br>
><br>
>If it's brute force attacks that are the vector of concern, perhaps we<br>
>could look at a default hashlimit rule in front of the ssh. (ie, 1<br>
>attempt per minute or the like).<br>
<br>
</div></div>Or simply have a page asking the user whether or not to enable ssh? I<br>
can't recall off the top of my head, but I believe there is a screen<br>
where you ask if you want the firewall enabled, right? Why not have a<br>
very obvious checkbox: "[ ] Enable ssh at boot" and if the user checks<br>
it off, set the firewall to allow ssh and turn ssh on. If the user does<br>
_not_ check it off (aka they are sitting back and saying "what is this<br>
ssh thing they speak of?") then have the firewall block port 22 and<br>
chkconfig ssh off.<br>
<br>
It's not difficult. Those who need ssh will know what it is and will<br>
turn it on. Those who don't (probably the majority) will leave it off<br>
and be protected.<br>
<br>
I think that would cover all areas of concern without<br>
unnecessary/needless rate-limiting or changing sshd_config, etc. And<br>
it's one more UI element during install (and presumably something that<br>
could set in a kickstart file as well as a result).<br>
<font color="#888888"><br>
--<br>
Vincent Danen / Red Hat Security Response Team<br>
</font><div><div></div><div class="h5">--<br>
security mailing list<br>
<a href="mailto:security@lists.fedoraproject.org">security@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/security" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/security</a><br>
<br>
</div></div></blockquote></div><br>