Re: Default Fedora installation suffers from egregious configuration flaw

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 05/19/2011 08:26 AM, Paul Howarth wrote:
> On 19/05/11 01:35, dirk cummings wrote:
>> On a default install of Fedora 14, and also the latest release candidate
>> for 15, the user is presented with:
>>
>>      * An iptables rule that opens port 22 to the world
>>      * sshd service automatically started
>>      * sshd_config with default option: PermitRootLogin yes
>>
>>
>> It's like every new install comes with the keys to the castle hanging on
>> outside of the door for anyone who comes knocking.
>>
>> I find this situation a serious oversight in light of the fact that
>> Fedora obviously values security (like selinux, or how the installer
>> forces a minimum password length, etc)
>>
>> Any experienced linux user will know to check iptables and disable
>> unnecessary services, but I wouldn't expect this from a new linux user
>> (exactly the people the refreshed GNOME experience is supposed to
>> attract). I think the default configuration should be in the name of
>> security, and sshd should not be listening on a default port with an
>> open rule with root login enabled.
> Things have been like this since, well, forever. See discussions here:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=89216
> https://bugzilla.redhat.com/show_bug.cgi?id=136289

Note that saying that it has been like this for ever is not a valid point.

We have had incident reports here on the university network where a 
novice end user both staff and students installed Fedora on their 
laptop/workstation and to no surprise were instantly exposed to brute 
force attacks without absolutely no idea about it heck those users did 
not even know what ssh is in the first place.

There is no warning or option to disable sshd in Anaconda and the novice 
end user receives no notifications about someone trying to connect to 
ssh so he is absolutely clueless when that happens so even if he knows 
how to react when that occurs he still has no idea if/when it's happening.

I think this only applies to install of the default dvd not the live 
cd/usb images

And this is a valid concern.

JBG
--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/security


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux