[App_rpt-users] New Official Allstar Distribution Released (DIAL)

David Andrzejewski david at davidandrzejewski.com
Mon Oct 5 22:50:08 UTC 2015


Yep - disallowing keyboard-interactive and accepting only certificates.  
I turn off PermitRootLogin and only allow certificates.  Barring some 
kind of exploit in sshd, that ought to be secure enough.

Steven Donegan wrote:
> Using certificates for ssh is yet another method :-)
> Steven Donegan
> KK6IVC General Class FCC License
> Silver State Car #86
> www.sscc.us
>
> ------------------------------------------------------------------------
> *From:* Bryan D. Boyle <bdboyle at bdboyle.com>
> *To:* Steven Donegan <donegan at donegan.org>
> *Cc:* Steve Zingman <szingman at msgstor.com>; 
> "app_rpt-users at ohnosec.org" <app_rpt-users at ohnosec.org>
> *Sent:* Monday, October 5, 2015 2:49 PM
> *Subject:* Re: [App_rpt-users] New Official Allstar Distribution 
> Released (DIAL)
>
> Using a jump box as you describe is one way...not allowing SSH from 
> the outside adds a layer; setting up a secue VDI capability to the 
> jumpbox over a vpn is yet a third way...;).
>
> my rule: if it's exposed to the net, it's potentially vulnerable. 
>  Just turn on your SIP port and pop some popcorn to see...;)
>
> --
> Bryan
> Sent from my iPhone 5...No electrons were harmed in the sending of 
> this message.
>
>
>
>
>
> On Oct 5, 2015, at 17:39, Steven Donegan <donegan at donegan.org 
> <mailto:donegan at donegan.org>> wrote:
>
>> Direct root login being disallowed IF there were no other way to get 
>> full root privileges (not the case here) was considered best 
>> practice. However in almost every case there is a user (on Raspbian 
>> user pi) that can simply login, sudo -s and do whatever they want. 
>> Yes it puts up a small hurdle but I don't see it as a serious one.
>>
>> In short, there is almost no setup that will allow you to completely 
>> lock out root with the exception of a few well designed appliances. 
>> And that means someone is out there doing support to get things 
>> resolved. This system is not of that flavor and root is necessary for 
>> many things so frankly adding a hurdle or two really doesn't 
>> appreciably make the system more secure.
>>
>> Require a long pass phrase (say 20 mixed characters or so) and this 
>> whole thing is moot...
>>
>> And BTW - putting sshd on port 222 (or anything except 22) is 
>> security by obscurity - many tools can find standard protocols on 
>> non-standard ports :-) (I know, I wrote one)
>>
>> The best bet is to not allow ssh at all. If that is not feasible then 
>> do the su or sudo thing and/or set up an intermediate system such 
>> that you access a non-privileged account on system A, then ssh to 
>> system B and system B will ONLY accept ssh from system A. Still can 
>> be beaten but it is a bit harder...
>>
>> And BTW - I have done infosec for about 20 years so I am allowed to 
>> have an opinion on this topic :-)
>> Steven Donegan
>> KK6IVC General Class FCC License
>> Silver State Car #86
>> www.sscc.us <http://www.sscc.us/>
>>
>> ------------------------------------------------------------------------
>> *From:* Steve Zingman <szingman at msgstor.com 
>> <mailto:szingman at msgstor.com>>
>> *To:* "app_rpt-users at ohnosec.org <mailto:app_rpt-users at ohnosec.org>" 
>> <app_rpt-users at ohnosec.org <mailto:app_rpt-users at ohnosec.org>>
>> *Sent:* Monday, October 5, 2015 2:24 PM
>> *Subject:* [App_rpt-users] New Official Allstar Distribution Released 
>> (DIAL)
>>
>> Dave,
>> Let's say I agree with you. And I well may.
>> On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN.
>> I agree is common practice to not allow it.
>> Now the question is why?
>>
>> As John McLaughlin would say, DISCUSS!
>>
>> On 10/05/2015 08:40 AM, Steve Zingman wrote:
>> >/  root login via SSH is now allowed
>> /
>> >  This is a bad idea.  Root should *never* be allowed to login to a system
>> >  remotely.  It's better to log in as a normal user and then become root
>> >  via su, sudo, etc.
>>
>> >  - Dave
>>
>>
>>
>> -- 
>> "Anything is possible if you don't know what you are talking about."
>> 1st Law of Logic
>>
>>
>>
>> _______________________________________________
>> App_rpt-users mailing list
>> App_rpt-users at ohnosec.org <mailto:App_rpt-users at ohnosec.org>
>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>
>> To unsubscribe from this list please visit 
>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users 
>> <http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users>and scroll 
>> down to the bottom of the page. Enter your email address and press 
>> the "Unsubscribe or edit options button"
>> You do not need a password to unsubscribe, you can do it via email 
>> confirmation. If you have trouble unsubscribing, please send a 
>> message to the list detailing the problem.
>>
>>
>> _______________________________________________
>> App_rpt-users mailing list
>> App_rpt-users at ohnosec.org <mailto:App_rpt-users at ohnosec.org>
>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>
>> To unsubscribe from this list please visit 
>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll 
>> down to the bottom of the page. Enter your email address and press 
>> the "Unsubscribe or edit options button"
>> You do not need a password to unsubscribe, you can do it via email 
>> confirmation. If you have trouble unsubscribing, please send a 
>> message to the list detailing the problem. 
>
>
> _______________________________________________
> App_rpt-users mailing list
> App_rpt-users at ohnosec.org
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>
> To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
> You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.keekles.org/pipermail/app_rpt-users/attachments/20151005/f19c6565/attachment.html>


More information about the App_rpt-users mailing list