PDA

View Full Version : SSHD on by Default


superbnerd
18th October 2004, 06:37 AM
All knowledgeable linux users:

Can someone please explain to me why sshd is activated by default? I know (one would hope) the redhat developers a wise, yet how could they be so blind as to activate a remote login service by default? I had reported several months ago that there was a *nix worm that attempts to login to systems via ssh as root, test, and guest. The genius developers did not even disable remote root login.

How can we protect linux from the influx of newbies if the developers are working against us? Perhaps they assume that linux users are knowledgeable about their systems and thus should know to disable unused services. That would not make much sense becuase if the linux users were knowledgeable enought to know that, they would perfer the service be disable unless explicitly enabled. That is always the more secure default.

Hopefully soon, fedora will become more open to community involvement. Then we can secure our distro ourselves. I though the newbies would kill off linux. Apparently its the developers. Please correct me if I am wrong in thinking disabling remote login by default will prevent or at least slow the newbies from being unwittingly rooted.

Emily
18th October 2004, 07:24 AM
I just think anaconda could use an extra page for the custom install where you can pick what services to use (for personal desktop, turn off some of the more server-y things like sshd and ftpd, but for custom, you can pick from a list)

superbnerd
18th October 2004, 07:29 AM
That would be excellent because I always do a custom install, but the default of activating it without warning is just neglectful. How can they get away with this?

kosmosik
18th October 2004, 12:24 PM
well it is on by default but still you have to enable it on firewall... not to good aproach but you can't say it is exposed by default - you must manually switch it on. I guess sshd is on by default since you can do headless install with Fedora (fro install script or via VNC) so you need some way to login after instalation is done... I think it is quite casual. in fact it does not change security dramatically - experienced admin knows his system and knows that sshd is on by default and can react poperly, unexperienced admin is still unexperienced so it does not change a lot ;)

Emily
18th October 2004, 12:43 PM
but it'd still be a great page to add to the anaconda installer, I wonder if I could get the source and write a patch... where would I start, to do something like that ? I need to know Python, dont I ?

Varkk
18th October 2004, 01:35 PM
I think it relates back to the fact that Redhat is concentrating on server installs which are usually headless, with all management done remotely. In which case having sshd active by default makes sense, but yeah, adding a step to the install procedure to configure which services are running initially would be an excellent idea.

blammo
18th October 2004, 03:24 PM
That would be excellent because I always do a custom install, but the default of activating it without warning is just neglectful. How can they get away with this?

SSHD had been activated by default in a server install at least since the RH 7.0 days, probably earlier. I agree that root login should be disabled by default though. Also, strong passwords should be used, not ones in a dictionary or too simplistic. I need to have port 22 open on my machines for administration, and I've never been compromised.

superbnerd
18th October 2004, 09:03 PM
well it is on by default but still you have to enable it on firewall...I guess sshd is on by default since you can do headless install with Fedora (fro install script or via VNC) so you need some way to login after instalation is done... Correct me if I am worng, but it wouldn't help to have ssh enable becuase the firewall is up. How can you remotely login after startup if the firewall is blocking ssh and vnc unless you configured the firewall during install. At this point we might as well just configure the services at installation time as well. Of course we would want that to be in an advanced pages that normal users aren't bothered with. Which would mean we would still want to disable it by default becuase the newbies will just click Next > Next > Finish.

@Emily
Yes I beliven you need to know python. If you are interested, join the developers mailing list and get invovled in their discussions.

Emily
19th October 2004, 02:44 AM
good idea ! thanks, I'll find the mailing list, maybe look in the archive or something... oh isn't there a #fedora-devel on Freenode ? maybe I'll check that out

it's just a matter of taking a page out of the install wizard that already exists, like the security level page, and customizing it... I'd make the top part have sane defaults (defaults for a desktop (which server services like ssh and ftp off) and defaults for a server (with things like Canna and file-monitoring daemon off and ssh on)) and then below that, a list of checkboxes of individual services, after which it'd do something similar to what chkconfig does, changing the symlinks in /etc/rc[0-6].d in the system-to-be

sorry, never mind me, just thinking outloud

zephlyn
19th October 2004, 03:33 AM
Just to throw in my two cents, I help a lot of new users get up and running on Linux. I usually build the system for them, but occasionally someone wants to do it himself or herself. I have witnessed on more than one occasion someone allowing SSH, HTTP, SNMP, etc in the firewall config settings due to lack of understanding and they are simple check boxes. Then they follow it up with a very simple root password (one I've seen in many failed SSH connections). This, combined with the fact that SSH is enabled by default, created a new Red Hat Linux setup which would have been very easy to compromise. Fortunately, they usually let me review their system when they are done. But it makes me wonder about the scores of new users attempting to install Linux for the first time by themselves.

superbnerd
19th October 2004, 03:44 AM
So apart from Emily's effort, how do we solve this problem? Should I file a bug report, or do we take drastic measures and over throw the developer :D

Emily
19th October 2004, 04:53 AM
as for what zephlyn described, isn't that what the help pane is for on anaconda ? or am I the only one that reads that thing ? typical...

if you ignore the help, ignore your better wisdom, make an uninformed decision, and change the defaults, and you make your system vulnerable, I think you get what's coming to you (yes, those ports aren't opened by default)

who on earth screws with stuff they don't understand ? this is why you pick one of "server" or "workstation" or "personal desktop" so that nice defaults are there for you, and I think a services selection anaconda should do the same thing, possibly even hiding the advanced stuff like Grub config does unless you opt to screw with it, I think having the shiny new option buttons right there in front of a user begs to be changed

I know that when I first installed Linux, I did screw with grub because I thought I was supposed to, and I only was able to use Linux when I left the defaults alone and it all Just Worked... every configuration app should strive to be that

uggh, sorry, done ranting

zephlyn
19th October 2004, 05:45 AM
I guess I contributed my post just to demonstrate something I've seen in the wild. As a general rule I would say that sshd should not be enabled by default. I frequently turn it off on systems I know will not be supported remotely (like my wife's laptop), and if I turn it on I disable root login (like my mother's desktop). It seems to me that onyone planning to use sshd will know how to turn it on, and it should be off already for those that don't. It's just another opportunity for something to go wrong. General security guidlines stipulate to disable any service not actually being used. Since Red Hat (or Fedora in this case) is the distro owner the community would have to convince them to change the default.

Emily
19th October 2004, 06:17 AM
I think somebody (huh ? what ? me ? **gasp** I'll think about it) should just harrass the anaconda people, maybe with patches... gosh, I wish I knew Python, let alone pygtk

superbnerd
19th October 2004, 07:11 AM
Ok, thats our plan. You harras them about anaconda and I will harras them at the bugzilla. Ready...Go.

And all of you who think enabling the firewall by default will stop the problem you should be aware that many newbie will make eth0 a trusted device out of ignorance or becuase they want to enable samba (or any other service) but don't know what ports to open. It doesn't help that the firewall tool is crude. This is actually the same thing that happened to windows. They told everyone to enable the firewall but their tool was not intuitive enough so people just disabled it to get smb filesharing to work. It appears fedora is following windows to its doom :(

Emsworth Photos - Arai Photos - Senden Travel Photos