Feature Request "secure by default"
Simon Jolle
urandomdev at gmail.com
Sun Jun 10 16:06:03 UTC 2007
On 6/10/07, Manuel Arostegui Ramirez <manuel at todo-linux.com> wrote:
> El Domingo, 10 de Junio de 2007 15:11, Simon Jolle escribió:
> > After default installation of Fedora 7 too much network daemons listen
> > for incoming connections. I admit, that those services are closed by
> > iptables rules (default only accept inbound SSH connection).
>
> That's actually what OpenBSD does
> So, talking about Fedora or RH systems, by default the daemon which listen for
> connections are only the ones you'd choose to install during your
> installation process, right?
Next time I will customize the package selection better. I only
accepted the defaults and unchecked "Office and Productivity". Average
user don't minimize package selections (security is not only job of
the user). Here my result:
# netstat -tupan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 127.0.0.1:2208 0.0.0.0:*
LISTEN 2074/hpiod
tcp 0 0 127.0.0.1:631 0.0.0.0:*
LISTEN 2091/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:*
LISTEN 2125/sendmail: acce
tcp 0 0 127.0.0.1:2207 0.0.0.0:*
LISTEN 2079/python
tcp 0 0 0.0.0.0:703 0.0.0.0:*
LISTEN 1793/rpc.statd
tcp 1 0 192.168.134.128:53429 209.132.176.120:80
CLOSE_WAIT 2298/python
tcp 1 0 192.168.134.128:54370 192.26.91.193:80
CLOSE_WAIT 2298/python
tcp 0 0 :::111 :::*
LISTEN 1764/rpcbind
tcp 0 0 :::22 :::*
LISTEN 2105/sshd
udp 0 0 0.0.0.0:32768 0.0.0.0:*
2310/avahi-daemon:
udp 0 0 0.0.0.0:697 0.0.0.0:*
1793/rpc.statd
udp 0 0 0.0.0.0:700 0.0.0.0:*
1793/rpc.statd
udp 0 0 0.0.0.0:68 0.0.0.0:*
1629/dhclient
udp 0 0 0.0.0.0:5353 0.0.0.0:*
2310/avahi-daemon:
udp 0 0 0.0.0.0:631 0.0.0.0:*
2091/cupsd
udp 0 0 :::32769 :::*
2310/avahi-daemon:
udp 0 0 :::667 :::*
1764/rpcbind
udp 0 0 :::5353 :::*
2310/avahi-daemon:
udp 0 0 :::111 :::*
1764/rpcbind
Security is always a layered stack, so don't say me its protected by
iptables.
> > Additionally if you install supplement software by using "yum", those
> > daemons get enabled right after installation.
>
> I guess if someone is installing a daemon by using yum, it means it really
> needs it, which leads us to suppose this user knows what he's doing and why,
> no one runs "yum install proftpd" by accident, uh?
IMHO as a admin, I wish secure default configurations. A admin should
understand every line in the configuration file and decide if this is
needed or not.
Its a security risk by just doing "yum install vsftpd" and the FTP
server works. You should be forced to understand FTP and tune up
things as needed. If you don't understand what you are doing - you can
not have a secure network
I would be glad if daemons listen only loopback and have stripped down defaults.
> And furthermore, if this user decides to install the daemon it means his gonna
> use it, so not enabling it after the yum installation won't make any
> difference, IMHO.
> >
> > OpenSolaris have quite a good solution to deal with security vs
> > comfort. See the "Secure by Default" project [0]
>
> Again, like OpenBSD :-)
>
> >
> > Is there a chance to have in Fedora and RHEL a secure by default
> > installation? What do you developers think about this issue? Any pro
> > and cons to implement this?
>
> It is, actually as long as you install only daemons you're gonna use and
> enabling SeLinux.
I acknowledge don't have SELinux enabled. But a RHEL as provided by
Red Hat needs to be locked down by every customer. There are quite a
lot guide doing so on the net [1]
There should be per default /etc/cron.allow only root, TCP/IP Settings
parameter don't allowing known attacks, password aging enabled, more
restrictive permissions,........
[1] http://www.puschitz.com/SecuringLinux.shtml
More information about the fedora-list
mailing list