Default Fedora installation suffers from egregious configuration flaw
"Jóhann B. Guðmundsson"
johannbg at gmail.com
Thu May 19 13:46:20 UTC 2011
On 05/19/2011 01:18 PM, Kevin Fenzi wrote:
> The reason for this has been headless installs. Ie, if you install via
> vnc or the like, and finish the install and reboot and don't have
> access to the physical console, ssh is your only way to access the
> newly installed machine and setup accounts, etc.
>
> If someone can come up with a solution that covers this case, we could
> revisit this, but it's not an case thats easy to fix in any kind of
> clean way. ;(
>
> If it's brute force attacks that are the vector of concern, perhaps we
> could look at a default hashlimit rule in front of the ssh. (ie, 1
> attempt per minute or the like).
I would think admins that are doing headless install would be doing them
via PXE+Cobbler with .ks files not via the DVD
If they do they should create their own iso for that case or server sig
spin one for them since we hand out dvd to novice end users.
Anyway there came an interesting discussion out of this thread at work
on who was legally liable for any harm/financial damage that might be
caused from bad default options like this which I have now forwarded to
legal to clarify.
JBG
More information about the security
mailing list