Re: A Topic that needs to be discussed on next the QA meeting..

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Mar 18, 2008 at 09:16:12AM +0100, Tomas Mraz wrote:
> Nope, bad analogy. Having sshd open by default is to ship the car with
> remote keys enabled by default vs. giving the driver remote keys but
> request him to add a fuse to the fuse box if he wants to switch on the
> receiver.

Firstly this is untrue. The usual access is the console. Secondly the 
configuration is not a fuse box its far simpler and graphical.

Almost the first rule of security is "deny everything"  [Certain presidents
misunderstood the context ;)]. If a user cannot use ssh they will then rectify
the setting, if they can use it but do not need it they will not notice.

Nor is this an idle consideration. My external boxes with ssh ports get
regularly dictionary attacks, and those *will* break into some systems
with poorer passwords eventually.

So quite simply we should ship sshd firewalled. At the most extreme end we
should ship sshd off and instead returning an immediate error string saying
sshd disabled, but audit that code very very carefully!

-- 
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe: 
https://www.redhat.com/mailman/listinfo/fedora-test-list

[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]

  Powered by Linux