Default Fedora installation suffers from egregious configuration flaw

Thu May 19 16:13:39 UTC 2011

Simple, almost obvious, easy to implement solution. Love it.

On Thu, May 19, 2011 at 10:08 AM, Vincent Danen <vdanen at redhat.com> wrote:

> * [2011-05-19 07:18:38 -0600] Kevin Fenzi wrote:
>
> >On Wed, 18 May 2011 17:35:38 -0700
> >dirk cummings <sexynaya2010 at hotmail.com> wrote:
> >
> >>
> >> On a default install of Fedora 14, and also the latest release
> >> candidate for 15, the user is presented with:
> >>
> >> An iptables rule that opens port 22 to the worldsshd service
> >> automatically startedsshd_config with default option: PermitRootLogin
> >> yes It's like every new install comes with the keys to the castle
> >> hanging on outside of the door for anyone who comes knocking.
> >>
> >> I find this situation a serious oversight in light of the fact that
> >> Fedora obviously values security (like selinux, or how the installer
> >> forces a minimum password length, etc)
> >>
> >> Any experienced linux user will know to check iptables and disable
> >> unnecessary services, but I wouldn't expect this from a new linux
> >> user (exactly the people the refreshed GNOME experience is supposed
> >> to attract).  I think the default configuration should be in the name
> >> of security, and sshd should not be listening on a default port with
> >> an open rule with root login enabled.
> >
> >The reason for this has been headless installs. Ie, if you install via
> >vnc or the like, and finish the install and reboot and don't have
> >access to the physical console, ssh is your only way to access the
> >newly installed machine and setup accounts, etc.
> >
> >If someone can come up with a solution that covers this case, we could
> >revisit this, but it's not an case thats easy to fix in any kind of
> >clean way. ;(
> >
> >If it's brute force attacks that are the vector of concern, perhaps we
> >could look at a default hashlimit rule in front of the ssh. (ie, 1
> >attempt per minute or the like).
>
> Or simply have a page asking the user whether or not to enable ssh?  I
> can't recall off the top of my head, but I believe there is a screen
> where you ask if you want the firewall enabled, right?  Why not have a
> very obvious checkbox: "[ ] Enable ssh at boot" and if the user checks
> it off, set the firewall to allow ssh and turn ssh on.  If the user does
> _not_ check it off (aka they are sitting back and saying "what is this
> ssh thing they speak of?") then have the firewall block port 22 and
> chkconfig ssh off.
>
> It's not difficult.  Those who need ssh will know what it is and will
> turn it on.  Those who don't (probably the majority) will leave it off
> and be protected.
>
> I think that would cover all areas of concern without
> unnecessary/needless rate-limiting or changing sshd_config, etc.  And
> it's one more UI element during install (and presumably something that
> could set in a kickstart file as well as a result).
>
> --
> Vincent Danen / Red Hat Security Response Team
> --
> security mailing list
> security at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/security
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/security/attachments/20110519/ed86b4fa/attachment.html 