Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 18th October 2004, 07:37 AM
superbnerd
Guest
 
Posts: n/a
SSHD on by Default

All knowledgeable linux users:

Can someone please explain to me why sshd is activated by default? I know (one would hope) the redhat developers a wise, yet how could they be so blind as to activate a remote login service by default? I had reported several months ago that there was a *nix worm that attempts to login to systems via ssh as root, test, and guest. The genius developers did not even disable remote root login.

How can we protect linux from the influx of newbies if the developers are working against us? Perhaps they assume that linux users are knowledgeable about their systems and thus should know to disable unused services. That would not make much sense becuase if the linux users were knowledgeable enought to know that, they would perfer the service be disable unless explicitly enabled. That is always the more secure default.

Hopefully soon, fedora will become more open to community involvement. Then we can secure our distro ourselves. I though the newbies would kill off linux. Apparently its the developers. Please correct me if I am wrong in thinking disabling remote login by default will prevent or at least slow the newbies from being unwittingly rooted.
Reply With Quote
  #2  
Old 18th October 2004, 08:24 AM
Emily Offline
Registered User
 
Join Date: Oct 2004
Posts: 49
I just think anaconda could use an extra page for the custom install where you can pick what services to use (for personal desktop, turn off some of the more server-y things like sshd and ftpd, but for custom, you can pick from a list)
Reply With Quote
  #3  
Old 18th October 2004, 08:29 AM
superbnerd
Guest
 
Posts: n/a
That would be excellent because I always do a custom install, but the default of activating it without warning is just neglectful. How can they get away with this?
Reply With Quote
  #4  
Old 18th October 2004, 01:24 PM
kosmosik Offline
Registered User
 
Join Date: Apr 2004
Location: Warsaw, Poland
Age: 33
Posts: 1,085
well it is on by default but still you have to enable it on firewall... not to good aproach but you can't say it is exposed by default - you must manually switch it on. I guess sshd is on by default since you can do headless install with Fedora (fro install script or via VNC) so you need some way to login after instalation is done... I think it is quite casual. in fact it does not change security dramatically - experienced admin knows his system and knows that sshd is on by default and can react poperly, unexperienced admin is still unexperienced so it does not change a lot
Reply With Quote
  #5  
Old 18th October 2004, 01:43 PM
Emily Offline
Registered User
 
Join Date: Oct 2004
Posts: 49
but it'd still be a great page to add to the anaconda installer, I wonder if I could get the source and write a patch... where would I start, to do something like that ? I need to know Python, dont I ?
Reply With Quote
  #6  
Old 18th October 2004, 02:35 PM
Varkk Offline
Registered User
 
Join Date: Mar 2004
Location: New Zealand
Age: 35
Posts: 287
I think it relates back to the fact that Redhat is concentrating on server installs which are usually headless, with all management done remotely. In which case having sshd active by default makes sense, but yeah, adding a step to the install procedure to configure which services are running initially would be an excellent idea.
Reply With Quote
  #7  
Old 18th October 2004, 04:24 PM
blammo Offline
Registered User
 
Join Date: May 2004
Location: That toddlin' town...
Posts: 296
Quote:
Originally Posted by superbnerd
That would be excellent because I always do a custom install, but the default of activating it without warning is just neglectful. How can they get away with this?
SSHD had been activated by default in a server install at least since the RH 7.0 days, probably earlier. I agree that root login should be disabled by default though. Also, strong passwords should be used, not ones in a dictionary or too simplistic. I need to have port 22 open on my machines for administration, and I've never been compromised.
Reply With Quote
  #8  
Old 18th October 2004, 10:03 PM
superbnerd
Guest
 
Posts: n/a
Quote:
Originally Posted by kosmosik
well it is on by default but still you have to enable it on firewall...I guess sshd is on by default since you can do headless install with Fedora (fro install script or via VNC) so you need some way to login after instalation is done...
Correct me if I am worng, but it wouldn't help to have ssh enable becuase the firewall is up. How can you remotely login after startup if the firewall is blocking ssh and vnc unless you configured the firewall during install. At this point we might as well just configure the services at installation time as well. Of course we would want that to be in an advanced pages that normal users aren't bothered with. Which would mean we would still want to disable it by default becuase the newbies will just click Next > Next > Finish.

@Emily
Yes I beliven you need to know python. If you are interested, join the developers mailing list and get invovled in their discussions.
Reply With Quote
  #9  
Old 19th October 2004, 03:44 AM
Emily Offline
Registered User
 
Join Date: Oct 2004
Posts: 49
Lightbulb

good idea ! thanks, I'll find the mailing list, maybe look in the archive or something... oh isn't there a #fedora-devel on Freenode ? maybe I'll check that out

it's just a matter of taking a page out of the install wizard that already exists, like the security level page, and customizing it... I'd make the top part have sane defaults (defaults for a desktop (which server services like ssh and ftp off) and defaults for a server (with things like Canna and file-monitoring daemon off and ssh on)) and then below that, a list of checkboxes of individual services, after which it'd do something similar to what chkconfig does, changing the symlinks in /etc/rc[0-6].d in the system-to-be

sorry, never mind me, just thinking outloud
Reply With Quote
  #10  
Old 19th October 2004, 04:33 AM
zephlyn Offline
Registered User
 
Join Date: Sep 2004
Location: Columbus, OH
Posts: 55
Just to throw in my two cents, I help a lot of new users get up and running on Linux. I usually build the system for them, but occasionally someone wants to do it himself or herself. I have witnessed on more than one occasion someone allowing SSH, HTTP, SNMP, etc in the firewall config settings due to lack of understanding and they are simple check boxes. Then they follow it up with a very simple root password (one I've seen in many failed SSH connections). This, combined with the fact that SSH is enabled by default, created a new Red Hat Linux setup which would have been very easy to compromise. Fortunately, they usually let me review their system when they are done. But it makes me wonder about the scores of new users attempting to install Linux for the first time by themselves.
Reply With Quote
  #11  
Old 19th October 2004, 04:44 AM
superbnerd
Guest
 
Posts: n/a
So apart from Emily's effort, how do we solve this problem? Should I file a bug report, or do we take drastic measures and over throw the developer
Reply With Quote
  #12  
Old 19th October 2004, 05:53 AM
Emily Offline
Registered User
 
Join Date: Oct 2004
Posts: 49
as for what zephlyn described, isn't that what the help pane is for on anaconda ? or am I the only one that reads that thing ? typical...

if you ignore the help, ignore your better wisdom, make an uninformed decision, and change the defaults, and you make your system vulnerable, I think you get what's coming to you (yes, those ports aren't opened by default)

who on earth screws with stuff they don't understand ? this is why you pick one of "server" or "workstation" or "personal desktop" so that nice defaults are there for you, and I think a services selection anaconda should do the same thing, possibly even hiding the advanced stuff like Grub config does unless you opt to screw with it, I think having the shiny new option buttons right there in front of a user begs to be changed

I know that when I first installed Linux, I did screw with grub because I thought I was supposed to, and I only was able to use Linux when I left the defaults alone and it all Just Worked... every configuration app should strive to be that

uggh, sorry, done ranting
Reply With Quote
  #13  
Old 19th October 2004, 06:45 AM
zephlyn Offline
Registered User
 
Join Date: Sep 2004
Location: Columbus, OH
Posts: 55
I guess I contributed my post just to demonstrate something I've seen in the wild. As a general rule I would say that sshd should not be enabled by default. I frequently turn it off on systems I know will not be supported remotely (like my wife's laptop), and if I turn it on I disable root login (like my mother's desktop). It seems to me that onyone planning to use sshd will know how to turn it on, and it should be off already for those that don't. It's just another opportunity for something to go wrong. General security guidlines stipulate to disable any service not actually being used. Since Red Hat (or Fedora in this case) is the distro owner the community would have to convince them to change the default.
Reply With Quote
  #14  
Old 19th October 2004, 07:17 AM
Emily Offline
Registered User
 
Join Date: Oct 2004
Posts: 49
I think somebody (huh ? what ? me ? **gasp** I'll think about it) should just harrass the anaconda people, maybe with patches... gosh, I wish I knew Python, let alone pygtk
Reply With Quote
  #15  
Old 19th October 2004, 08:11 AM
superbnerd
Guest
 
Posts: n/a
Ok, thats our plan. You harras them about anaconda and I will harras them at the bugzilla. Ready...Go.

And all of you who think enabling the firewall by default will stop the problem you should be aware that many newbie will make eth0 a trusted device out of ignorance or becuase they want to enable samba (or any other service) but don't know what ports to open. It doesn't help that the firewall tool is crude. This is actually the same thing that happened to windows. They told everyone to enable the firewall but their tool was not intuitive enough so people just disabled it to get smb filesharing to work. It appears fedora is following windows to its doom

Last edited by superbnerd; 19th October 2004 at 08:50 AM.
Reply With Quote
Reply

Tags
default, sshd

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Starting sshd: /etc/init.d/sshd: line 113: /usr/sbin/sshd: Permission denied sumanc Using Fedora 9 28th March 2008 07:37 AM
how to change the default page of apache from index.htm to default.htm sourin Servers & Networking 6 16th December 2005 05:08 PM
Default sink works, default source doesn't, Intel 845Gv2 Andy_Lapham Hardware & Laptops 1 1st April 2005 06:02 AM
sshd [default fedora settings can get you hacked] t3gah Security and Privacy 4 18th March 2005 01:10 AM


Current GMT-time: 02:50 (Friday, 28-11-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Envy Rooftop, Charlee Hotel Parque Lleras - Metrowalk Ortigas Avenue Travel Photos on Instagram