[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SSH on by default? (Was: too many deamons by default - F7 test 2 live cd)

ons 2007-03-21 klockan 15:00 -0400 skrev Chris Lumens:
> firstboot already uses system-config-securitylevel to provide a screen
> for setting this stuff up.  The default configuration on regular
> installs is ssh enabled, SELinux enforcing. 

I have to admit I haven't been able to test F7 yet. Is this the same
screen as in FC6, where you're not actually selecting whether to have
sshd on or off but rather how the firewall is set up?

Because I think it's much more important to make sure the system is
secure (by default and after admin's changes) even without the firewall
than to set the firewall "just right". So the "SSH or not" setting
should control the service, not the firewall.

<Rant> :)

The firewall is an extra protection, and in some cases a workaround for
broken software where it can't be made secure any other way. (Let's say
you can't figure out how to make your local caching nameserver listen
only on loopback, so you firewall the port instead.)

The same way, if the system is insecure when SELinux is off, then it's a
bug or configuration error. It's just an extra precaution, not where the
actual security is supposed to be.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]