Default Fedora installation suffers from egregious configuration flaw

Vincent Danen vdanen at redhat.com
Thu May 19 15:08:06 UTC 2011 

* [2011-05-19 07:18:38 -0600] Kevin Fenzi wrote:

>On Wed, 18 May 2011 17:35:38 -0700
>dirk cummings <sexynaya2010 at hotmail.com> wrote:
>
>>
>> On a default install of Fedora 14, and also the latest release
>> candidate for 15, the user is presented with:
>>
>> An iptables rule that opens port 22 to the worldsshd service
>> automatically startedsshd_config with default option: PermitRootLogin
>> yes It's like every new install comes with the keys to the castle
>> hanging on outside of the door for anyone who comes knocking.
>>
>> I find this situation a serious oversight in light of the fact that
>> Fedora obviously values security (like selinux, or how the installer
>> forces a minimum password length, etc)
>>
>> Any experienced linux user will know to check iptables and disable
>> unnecessary services, but I wouldn't expect this from a new linux
>> user (exactly the people the refreshed GNOME experience is supposed
>> to attract).  I think the default configuration should be in the name
>> of security, and sshd should not be listening on a default port with
>> an open rule with root login enabled.
>
>The reason for this has been headless installs. Ie, if you install via
>vnc or the like, and finish the install and reboot and don't have
>access to the physical console, ssh is your only way to access the
>newly installed machine and setup accounts, etc.
>
>If someone can come up with a solution that covers this case, we could
>revisit this, but it's not an case thats easy to fix in any kind of
>clean way. ;(
>
>If it's brute force attacks that are the vector of concern, perhaps we
>could look at a default hashlimit rule in front of the ssh. (ie, 1
>attempt per minute or the like).

Or simply have a page asking the user whether or not to enable ssh?  I
can't recall off the top of my head, but I believe there is a screen
where you ask if you want the firewall enabled, right?  Why not have a
very obvious checkbox: "[ ] Enable ssh at boot" and if the user checks
it off, set the firewall to allow ssh and turn ssh on.  If the user does
_not_ check it off (aka they are sitting back and saying "what is this
ssh thing they speak of?") then have the firewall block port 22 and
chkconfig ssh off.

It's not difficult.  Those who need ssh will know what it is and will
turn it on.  Those who don't (probably the majority) will leave it off
and be protected.

I think that would cover all areas of concern without
unnecessary/needless rate-limiting or changing sshd_config, etc.  And
it's one more UI element during install (and presumably something that
could set in a kickstart file as well as a result).

-- 
Vincent Danen / Red Hat Security Response Team

More information about the security mailing list