Default Fedora installation suffers from egregious configuration flaw
joe_wulf at yahoo.com
Thu May 19 17:02:32 UTC 2011
+1 vote for the solution you recommended, Vincent.
----- Original Message ----
> From: Vincent Danen <vdanen at redhat.com>
> To: Kevin Fenzi <kevin at scrye.com>
> Cc: security at lists.fedoraproject.org
> Sent: Thu, May 19, 2011 11:08:06 AM
> Subject: Re: Default Fedora installation suffers from egregious configuration
> * [2011-05-19 07:18:38 -0600] Kevin Fenzi wrote:
> >On Wed, 18 May 2011 17:35:38 -0700
> >dirk cummings <sexynaya2010 at hotmail.com> wrote:
> >> On a default install of Fedora 14, and also the latest release
> >> candidate for 15, the user is presented with:
> >> An iptables rule that opens port 22 to the worldsshd service
> >> automatically startedsshd_config with default option: PermitRootLogin
> >> yes It's like every new install comes with the keys to the castle
> >> hanging on outside of the door for anyone who comes knocking.
> >> I find this situation a serious oversight in light of the fact that
> >> Fedora obviously values security (like selinux, or how the installer
> >> forces a minimum password length, etc)
> >> Any experienced linux user will know to check iptables and disable
> >> unnecessary services, but I wouldn't expect this from a new linux
> >> user (exactly the people the refreshed GNOME experience is supposed
> >> to attract). I think the default configuration should be in the name
> >> of security, and sshd should not be listening on a default port with
> >> an open rule with root login enabled.
> >The reason for this has been headless installs. Ie, if you install via
> >vnc or the like, and finish the install and reboot and don't have
> >access to the physical console, ssh is your only way to access the
> >newly installed machine and setup accounts, etc.
> >If someone can come up with a solution that covers this case, we could
> >revisit this, but it's not an case thats easy to fix in any kind of
> >clean way. ;(
> >If it's brute force attacks that are the vector of concern, perhaps we
> >could look at a default hashlimit rule in front of the ssh. (ie, 1
> >attempt per minute or the like).
> Or simply have a page asking the user whether or not to enable ssh? I
> can't recall off the top of my head, but I believe there is a screen
> where you ask if you want the firewall enabled, right? Why not have a
> very obvious checkbox: "[ ] Enable ssh at boot" and if the user checks
> it off, set the firewall to allow ssh and turn ssh on. If the user does
> _not_ check it off (aka they are sitting back and saying "what is this
> ssh thing they speak of?") then have the firewall block port 22 and
> chkconfig ssh off.
> It's not difficult. Those who need ssh will know what it is and will
> turn it on. Those who don't (probably the majority) will leave it off
> and be protected.
> I think that would cover all areas of concern without
> unnecessary/needless rate-limiting or changing sshd_config, etc. And
> it's one more UI element during install (and presumably something that
> could set in a kickstart file as well as a result).
> Vincent Danen / Red Hat Security Response Team
> security mailing list
> security at lists.fedoraproject.org
More information about the security