SSH on by default? (Was: too many deamons by default - F7 test 2 live cd)
Thomas M Steenholdt
tmus at tmus.dk
Tue Mar 20 09:59:46 UTC 2007
Nicolas Mailhot wrote:
> Le Mar 20 mars 2007 10:42, Thomas M Steenholdt a écrit :
>> Nicolas Mailhot wrote:
>>> Disabling ssh is not a good solution, many people need it. However the
>>> default fedora ssh setup is woefully insecure
>>>
>>> At least ssh rate-limiting should be in the default firewall install.
>>> Pam_abl would be even better (for other network services)
>>>
>> Blacklisting opens the potential for denial-of-service attacks. I'm not
>> too familiar with the pam_abl implementation,
>
> You have per-source-host and per-target-user tuneables
Potential problems with user=root and/or IP spoofing?
>
>> but we should at least be
>> very cautious if we choose to include and enable such features by default.
>
> Sure. But sitting on the problem won't solve it.
>
Agreed!
/Thomas
More information about the fedora-devel-list
mailing list