On a default install of Fedora 14, and also the latest release candidate for 15, the user is presented with: * An iptables rule that opens port 22 to the world * sshd service automatically started * sshd_config with default option: PermitRootLogin yes It's like every new install comes with the keys to the castle hanging on outside of the door for anyone who comes knocking. I find this situation a serious oversight in light of the fact that Fedora obviously values security (like selinux, or how the installer forces a minimum password length, etc) Any experienced linux user will know to check iptables and disable unnecessary services, but I wouldn't expect this from a new linux user (exactly the people the refreshed GNOME experience is supposed to attract). I think the default configuration should be in the name of security, and sshd should not be listening on a default port with an open rule with root login enabled.

On 05/19/2011 08:26 AM, Paul Howarth wrote: > On 19/05/11 01:35, dirk cummings wrote: >> On a default install of Fedora 14, and also the latest release candidate >> for 15, the user is presented with: >> >>      * An iptables rule that opens port 22 to the world >>      * sshd service automatically started >>      * sshd_config with default option: PermitRootLogin yes >> >> >> It's like every new install comes with the keys to the castle hanging on >> outside of the door for anyone who comes knocking. >> >> I find this situation a serious oversight in light of the fact that >> Fedora obviously values security (like selinux, or how the installer >> forces a minimum password length, etc) >> >> Any experienced linux user will know to check iptables and disable >> unnecessary services, but I wouldn't expect this from a new linux user >> (exactly the people the refreshed GNOME experience is supposed to >> attract). I think the default configuration should be in the name of >> security, and sshd should not be listening on a default port with an >> open rule with root login enabled. > Things have been like this since, well, forever. See discussions here: > > https://bugzilla.redhat.com/show_bug.cgi?id=89216 > https://bugzilla.redhat.com/show_bug.cgi?id=136289 Note that saying that it has been like this for ever is not a valid point. We have had incident reports here on the university network where a novice end user both staff and students installed Fedora on their laptop/workstation and to no surprise were instantly exposed to brute force attacks without absolutely no idea about it heck those users did not even know what ssh is in the first place. There is no warning or option to disable sshd in Anaconda and the novice end user receives no notifications about someone trying to connect to ssh so he is absolutely clueless when that happens so even if he knows how to react when that occurs he still has no idea if/when it's happening.

The reason for this has been headless installs. Ie, if you install via vnc or the like, and finish the install and reboot and don't have access to the physical console, ssh is your only way to access the newly installed machine and setup accounts, etc. If someone can come up with a solution that covers this case, we could revisit this, but it's not an case thats easy to fix in any kind of clean way. ;( If it's brute force attacks that are the vector of concern, perhaps we could look at a default hashlimit rule in front of the ssh. (ie, 1 attempt per minute or the like).

* [2011-05-19 07:18:38 -0600] Kevin Fenzi wrote: >On Wed, 18 May 2011 17:35:38 -0700 >dirk cummings <sexynaya2010(a)hotmail.com&gt; wrote: > >> >> On a default install of Fedora 14, and also the latest release >> candidate for 15, the user is presented with: >> >> An iptables rule that opens port 22 to the worldsshd service >> automatically startedsshd_config with default option: PermitRootLogin >> yes It's like every new install comes with the keys to the castle >> hanging on outside of the door for anyone who comes knocking. >> >> I find this situation a serious oversight in light of the fact that >> Fedora obviously values security (like selinux, or how the installer >> forces a minimum password length, etc) >> >> Any experienced linux user will know to check iptables and disable >> unnecessary services, but I wouldn't expect this from a new linux >> user (exactly the people the refreshed GNOME experience is supposed >> to attract). I think the default configuration should be in the name >> of security, and sshd should not be listening on a default port with >> an open rule with root login enabled. > >The reason for this has been headless installs. Ie, if you install via >vnc or the like, and finish the install and reboot and don't have >access to the physical console, ssh is your only way to access the >newly installed machine and setup accounts, etc. > >If someone can come up with a solution that covers this case, we could >revisit this, but it's not an case thats easy to fix in any kind of >clean way. ;( > >If it's brute force attacks that are the vector of concern, perhaps we >could look at a default hashlimit rule in front of the ssh. (ie, 1 >attempt per minute or the like). Or simply have a page asking the user whether or not to enable ssh? I can't recall off the top of my head, but I believe there is a screen where you ask if you want the firewall enabled, right? Why not have a very obvious checkbox: "[ ] Enable ssh at boot" and if the user checks it off, set the firewall to allow ssh and turn ssh on. If the user does _not_ check it off (aka they are sitting back and saying "what is this ssh thing they speak of?") then have the firewall block port 22 and chkconfig ssh off. It's not difficult. Those who need ssh will know what it is and will turn it on. Those who don't (probably the majority) will leave it off and be protected. I think that would cover all areas of concern without unnecessary/needless rate-limiting or changing sshd_config, etc. And it's one more UI element during install (and presumably something that could set in a kickstart file as well as a result). -- Vincent Danen / Red Hat Security Response Team -- security mailing list security(a)lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/security

From: Vincent Danen <vdanen(a)redhat.com&gt; To: Kevin Fenzi <kevin(a)scrye.com&gt; Cc: security(a)lists.fedoraproject.org Sent: Thu, May 19, 2011 11:08:06 AM Subject: Re: Default Fedora installation suffers from egregious configuration flaw * [2011-05-19 07:18:38 -0600] Kevin Fenzi wrote: >On Wed, 18 May 2011 17:35:38 -0700 >dirk cummings <sexynaya2010(a)hotmail.com&gt; wrote: > >> >> On a default install of Fedora 14, and also the latest release >> candidate for 15, the user is presented with: >> >> An iptables rule that opens port 22 to the worldsshd service >> automatically startedsshd_config with default option: PermitRootLogin >> yes It's like every new install comes with the keys to the castle >> hanging on outside of the door for anyone who comes knocking. >> >> I find this situation a serious oversight in light of the fact that >> Fedora obviously values security (like selinux, or how the installer >> forces a minimum password length, etc) >> >> Any experienced linux user will know to check iptables and disable >> unnecessary services, but I wouldn't expect this from a new linux >> user (exactly the people the refreshed GNOME experience is supposed >> to attract). I think the default configuration should be in the name >> of security, and sshd should not be listening on a default port with >> an open rule with root login enabled. > >The reason for this has been headless installs. Ie, if you install via >vnc or the like, and finish the install and reboot and don't have >access to the physical console, ssh is your only way to access the >newly installed machine and setup accounts, etc. > >If someone can come up with a solution that covers this case, we could >revisit this, but it's not an case thats easy to fix in any kind of >clean way. ;( > >If it's brute force attacks that are the vector of concern, perhaps we >could look at a default hashlimit rule in front of the ssh. (ie, 1 >attempt per minute or the like). Or simply have a page asking the user whether or not to enable ssh? I can't recall off the top of my head, but I believe there is a screen where you ask if you want the firewall enabled, right? Why not have a very obvious checkbox: "[ ] Enable ssh at boot" and if the user checks it off, set the firewall to allow ssh and turn ssh on. If the user does _not_ check it off (aka they are sitting back and saying "what is this ssh thing they speak of?") then have the firewall block port 22 and chkconfig ssh off. It's not difficult. Those who need ssh will know what it is and will turn it on. Those who don't (probably the majority) will leave it off and be protected. I think that would cover all areas of concern without unnecessary/needless rate-limiting or changing sshd_config, etc. And it's one more UI element during install (and presumably something that could set in a kickstart file as well as a result). -- Vincent Danen / Red Hat Security Response Team -- security mailing list security(a)lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/security

Isn't that only part of the solution?  Why would we ever need to have PermitRootLogin to true?  My memory is a little rusty but I'm pretty sure the install forces the creation of a user account. 

I've never done a headless install so I know nothing about how that works.  However, we shouldn't let a minority of installations compromise the security of the majority.  As someone has already pointed out, can't they have a different spin to allow whatever they might need?

Are there any other services that are listening by default and allowed through the firewall?  I believe there should be none of either.  However, I have been called paranoid in the past.  :)

Isn't that only part of the solution? Why would we ever need to have PermitRootLogin to true? My memory is a little rusty but I'm pretty sure the install forces the creation of a user account.

I've never done a headless install so I know nothing about how that works. However, we shouldn't let a minority of installations compromise the security of the majority. As someone has already pointed out, can't they have a different spin to allow whatever they might need?

Are there any other services that are listening by default and allowed through the firewall? I believe there should be none of either. However, I have been called paranoid in the past. :)