On 05/19/2011 08:26 AM, Paul Howarth wrote: > On 19/05/11 01:35, dirk cummings wrote: >> On a default install of Fedora 14, and also the latest release candidate >> for 15, the user is presented with: >> >> * An iptables rule that opens port 22 to the world >> * sshd service automatically started >> * sshd_config with default option: PermitRootLogin yes >> >> >> It's like every new install comes with the keys to the castle hanging on >> outside of the door for anyone who comes knocking. >> >> I find this situation a serious oversight in light of the fact that >> Fedora obviously values security (like selinux, or how the installer >> forces a minimum password length, etc) >> >> Any experienced linux user will know to check iptables and disable >> unnecessary services, but I wouldn't expect this from a new linux user >> (exactly the people the refreshed GNOME experience is supposed to >> attract). I think the default configuration should be in the name of >> security, and sshd should not be listening on a default port with an >> open rule with root login enabled. > Things have been like this since, well, forever. See discussions here: > > https://bugzilla.redhat.com/show_bug.cgi?id=89216 > https://bugzilla.redhat.com/show_bug.cgi?id=136289 Note that saying that it has been like this for ever is not a valid point. We have had incident reports here on the university network where a novice end user both staff and students installed Fedora on their laptop/workstation and to no surprise were instantly exposed to brute force attacks without absolutely no idea about it heck those users did not even know what ssh is in the first place. There is no warning or option to disable sshd in Anaconda and the novice end user receives no notifications about someone trying to connect to ssh so he is absolutely clueless when that happens so even if he knows how to react when that occurs he still has no idea if/when it's happening. I think this only applies to install of the default dvd not the live cd/usb images And this is a valid concern. JBG -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security