On 03/25/2016 02:38 AM, François Patte wrote:
Le 24/03/2016 17:01, Christopher a écrit :
On Wed, Mar 23, 2016 at 8:06 PM Rick Stevens <ricks@xxxxxxxxxxxxxx
<mailto:ricks@xxxxxxxxxxxxxx>> wrote:
On 03/23/2016 04:31 PM, George N. White III wrote:
> On Wed, Mar 23, 2016 at 7:57 PM, François Patte
> <francois.patte@xxxxxxxxxxxxxxxxxxxx
<mailto:francois.patte@xxxxxxxxxxxxxxxxxxxx>
> <mailto:francois.patte@xxxxxxxxxxxxxxxxxxxx
<mailto:francois.patte@xxxxxxxxxxxxxxxxxxxx>>> wrote:
[snip]
This is a security issue. Automatically opening your firewall to permit
ipp and such could be inviting attacks from the outside world.
Obviously, if your machine is behind another firewall protecting you
from the big, bad Internet then yeah, there's really no problem with
opening up ipp and such on your _machine's_ firewall.
"This is a security issue". This is the magic invocation! But in this --
configuration of a printer -- what is an alternate solution? You *must*
open the port 631! If it not automatically done while configuring cups,
you will have to open it manually! Except in the case of an usb
configuration for a local printer. Nowadays, most people have several
computers at home and only one printer for everybody, so you must have a
network computer configuration and port 631 must be open by default.
Port 631 only needs to be opened for _networked_ printers--not local
printers. While I agree that most people use networked printers (does
anyone remember the old Centronics interface?), blithely opening up
firewalls is asking for trouble. IPP, while fairly secure and bug-free
at the present time, can still be attacked. A new release of the
underlying IPP stack may open a security hole (it's happened in the
past).
Many, MANY internet attacks have been perpetrated because of Windows'
complete lack of firewall security in previous incarnations and its
inherent can o' worms internals. Those old Windows OSes have been
pirated so often that we still are dealing with it.
The fact that any given RPM may "require" other RPMs during the
install, and one of those other RPMs (which may seem to be totally
unrelated) might have a security hole, do you really want one of those
RPMs to open your firewall and expose your system?
It is up to sysadmins to open (or not open) firewall ports as they see
fit. Every system/network/installation is different. If you aren't aware
of the ramifications of what you're doing, you shouldn't be a sysadmin
and firewall punching SURELY shouldn't be an automatic thing!
Talking about security, it would be better to talk about ssh! port 22 is
open by default in a fresh install, worse: root login is enabled by
default in ssh config file!If you want more security, ssh root login
should disabled, even (I think) only rsa authentication should be the
only way to connect through ssh! But it is not done by default when you
install fedora (or other distributions).
I agree root login should be disabled and I believe that's the plan for
the next release. However, you can't disable password authentication
_initially_ as there would be no way to install your RSA keys on the
remote machine without it (sort of like a can with the can opener
inside).
Part of our install process is to disable ssh root logins, use LDAP
authentication (over SSL) from a central server farm, move ssh from its
default port, and force login timeouts (simple addition of "readonly
TMOUT=900;export TMOUT" to the end of /etc/profile--no activity in 900
seconds logs you out). The machines are then subject to an automated
audit that verifies these things have been done. The audit can't check
everything (e.g. the root password may not be the one we "standardize"
on so you can't necessarily tell if root ssh is disabled or you just
don't know the password), but it's better than "hoping for the best".
We also use VLANs extensively and have extremely restrictive ACLs on
our routers.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital ricks@xxxxxxxxxxxxxx -
- AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 -
- -
- If you are what you eat, then I'm fast, cheap and greasy! -
----------------------------------------------------------------------
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
