Default Fedora installation suffers from egregious configuration flaw
"Jóhann B. Guðmundsson"
johannbg at gmail.com
Thu May 19 09:14:00 UTC 2011
On 05/19/2011 08:26 AM, Paul Howarth wrote:
> On 19/05/11 01:35, dirk cummings wrote:
>> On a default install of Fedora 14, and also the latest release candidate
>> for 15, the user is presented with:
>>
>> * An iptables rule that opens port 22 to the world
>> * sshd service automatically started
>> * sshd_config with default option: PermitRootLogin yes
>>
>>
>> It's like every new install comes with the keys to the castle hanging on
>> outside of the door for anyone who comes knocking.
>>
>> I find this situation a serious oversight in light of the fact that
>> Fedora obviously values security (like selinux, or how the installer
>> forces a minimum password length, etc)
>>
>> Any experienced linux user will know to check iptables and disable
>> unnecessary services, but I wouldn't expect this from a new linux user
>> (exactly the people the refreshed GNOME experience is supposed to
>> attract). I think the default configuration should be in the name of
>> security, and sshd should not be listening on a default port with an
>> open rule with root login enabled.
> Things have been like this since, well, forever. See discussions here:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=89216
> https://bugzilla.redhat.com/show_bug.cgi?id=136289
Note that saying that it has been like this for ever is not a valid point.
We have had incident reports here on the university network where a
novice end user both staff and students installed Fedora on their
laptop/workstation and to no surprise were instantly exposed to brute
force attacks without absolutely no idea about it heck those users did
not even know what ssh is in the first place.
There is no warning or option to disable sshd in Anaconda and the novice
end user receives no notifications about someone trying to connect to
ssh so he is absolutely clueless when that happens so even if he knows
how to react when that occurs he still has no idea if/when it's happening.
I think this only applies to install of the default dvd not the live
cd/usb images
And this is a valid concern.
JBG
More information about the security
mailing list