SSH on by default? (Was: too many deamons by default - F7 test 2 live cd)
Thomas M Steenholdt
tmus at tmus.dk
Tue Mar 20 09:42:55 UTC 2007
Nicolas Mailhot wrote:
>
> Disabling ssh is not a good solution, many people need it. However the
> default fedora ssh setup is woefully insecure
>
> At least ssh rate-limiting should be in the default firewall install.
> Pam_abl would be even better (for other network services)
>
Blacklisting opens the potential for denial-of-service attacks. I'm not
too familiar with the pam_abl implementation, but we should at least be
very cautious if we choose to include and enable such features by default.
Same thing goes for rate-limiting.
I'm not saying that either of these are *bad*. I'm saying that for
default setups, we need to be very cautious with these things.
A more direct, less intrusive (for some/most) approach would perhaps be
to disallow root logins by default?!?
/Thomas
More information about the devel
mailing list