Re: Feature Request "secure by default"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 6/10/07, Manuel Arostegui Ramirez <manuel@xxxxxxxxxxxxxx> wrote:
El Domingo, 10 de Junio de 2007 15:11, Simon Jolle escribió:
> After default installation of Fedora 7 too much network daemons listen
> for incoming connections. I admit, that those services are closed by
> iptables rules (default only accept inbound SSH connection).

That's actually what OpenBSD does
So, talking about Fedora or RH systems, by default the daemon which listen for
connections are only the ones you'd choose to install during your
installation process, right?

Next time I will customize the package selection better. I only
accepted the defaults and unchecked "Office and Productivity". Average
user don't minimize package selections (security is not only job of
the user). Here my result:

# netstat -tupan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address
    State       PID/Program name
tcp        0      0 127.0.0.1:2208              0.0.0.0:*
    LISTEN      2074/hpiod
tcp        0      0 127.0.0.1:631               0.0.0.0:*
    LISTEN      2091/cupsd
tcp        0      0 127.0.0.1:25                0.0.0.0:*
    LISTEN      2125/sendmail: acce
tcp        0      0 127.0.0.1:2207              0.0.0.0:*
    LISTEN      2079/python
tcp        0      0 0.0.0.0:703                 0.0.0.0:*
    LISTEN      1793/rpc.statd
tcp        1      0 192.168.134.128:53429       209.132.176.120:80
    CLOSE_WAIT  2298/python
tcp        1      0 192.168.134.128:54370       192.26.91.193:80
    CLOSE_WAIT  2298/python
tcp        0      0 :::111                      :::*
    LISTEN      1764/rpcbind
tcp        0      0 :::22                       :::*
    LISTEN      2105/sshd
udp        0      0 0.0.0.0:32768               0.0.0.0:*
                2310/avahi-daemon:
udp        0      0 0.0.0.0:697                 0.0.0.0:*
                1793/rpc.statd
udp        0      0 0.0.0.0:700                 0.0.0.0:*
                1793/rpc.statd
udp        0      0 0.0.0.0:68                  0.0.0.0:*
                1629/dhclient
udp        0      0 0.0.0.0:5353                0.0.0.0:*
                2310/avahi-daemon:
udp        0      0 0.0.0.0:631                 0.0.0.0:*
                2091/cupsd
udp        0      0 :::32769                    :::*
                2310/avahi-daemon:
udp        0      0 :::667                      :::*
                1764/rpcbind
udp        0      0 :::5353                     :::*
                2310/avahi-daemon:
udp        0      0 :::111                      :::*
                1764/rpcbind

Security is always a layered stack, so don't say me its protected by
iptables.

> Additionally if you install supplement software by using "yum", those
> daemons get enabled right after installation.

I guess if someone is installing a daemon by using yum, it means it really
needs it, which leads us to suppose this user knows what he's doing and why,
no one runs "yum install proftpd" by accident, uh?

IMHO as a admin, I wish secure default configurations. A admin should
understand every line in the configuration file and decide if this is
needed or not.

Its a security risk by just doing "yum install vsftpd" and the FTP
server works. You should be forced to understand FTP and tune up
things as needed. If you don't understand what you are doing - you can
not have a secure network

I would be glad if daemons listen only loopback and have stripped down defaults.

And furthermore, if this user decides to install the daemon it means his gonna
use it, so not enabling it after the yum installation won't make any
difference, IMHO.
>
> OpenSolaris have quite a good solution to deal with security vs
> comfort. See the "Secure by Default" project [0]

Again, like OpenBSD :-)

>
> Is there a chance to have in Fedora and RHEL a secure by default
> installation? What do you developers think about this issue? Any pro
> and cons to implement this?

It is, actually as long as you install only daemons you're gonna use and
enabling SeLinux.

I acknowledge don't have SELinux enabled. But a RHEL as provided by
Red Hat needs to be locked down by every customer. There are quite a
lot guide doing so on the net [1]

There should be per default /etc/cron.allow only root, TCP/IP Settings
parameter don't allowing known attacks, password aging enabled, more
restrictive permissions,........

[1] http://www.puschitz.com/SecuringLinux.shtml


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux