[App_rpt-users] New Official Allstar Distribution Released (DIAL)
Steve Zingman
szingman at msgstor.com
Mon Oct 5 23:04:59 UTC 2015
Sure,
I think a hardening script might be in order (and optional).
On 10/05/2015 06:55 PM, Steven Donegan wrote:
> BTW - I have a script to make a *NIX box a CA and generate
> certificates - that could easily be added to the DIAL/Pi/etc releases
> - let me see if I can scrounge it up :-) Assuming anyone would want
> that ability and Steve is OK with it :-)
> Steven Donegan
> KK6IVC General Class FCC License
> Silver State Car #86
> www.sscc.us
>
> ------------------------------------------------------------------------
> *From:* David Andrzejewski <david at davidandrzejewski.com>
> *To:* Steven Donegan <donegan at donegan.org>
> *Cc:* Bryan D. Boyle <bdboyle at bdboyle.com>;
> "app_rpt-users at ohnosec.org" <app_rpt-users at ohnosec.org>
> *Sent:* Monday, October 5, 2015 3:50 PM
> *Subject:* Re: [App_rpt-users] New Official Allstar Distribution
> Released (DIAL)
>
> Yep - disallowing keyboard-interactive and accepting only
> certificates. I turn off PermitRootLogin and only allow
> certificates. Barring some kind of exploit in sshd, that ought to be
> secure enough.
>
> Steven Donegan wrote:
>>
>>
>> Using certificates for ssh is yet another method :-)
>> Steven Donegan
>> KK6IVC General Class FCC License
>> Silver State Car #86
>> www.sscc.us <http://www.sscc.us/>
>>
>> ------------------------------------------------------------------------
>> *From:* Bryan D. Boyle <bdboyle at bdboyle.com> <mailto:bdboyle at bdboyle.com>
>> *To:* Steven Donegan <donegan at donegan.org> <mailto:donegan at donegan.org>
>> *Cc:* Steve Zingman <szingman at msgstor.com>
>> <mailto:szingman at msgstor.com>; "app_rpt-users at ohnosec.org"
>> <mailto:app_rpt-users at ohnosec.org> <app_rpt-users at ohnosec.org>
>> <mailto:app_rpt-users at ohnosec.org>
>> *Sent:* Monday, October 5, 2015 2:49 PM
>> *Subject:* Re: [App_rpt-users] New Official Allstar Distribution
>> Released (DIAL)
>>
>> Using a jump box as you describe is one way...not allowing SSH from
>> the outside adds a layer; setting up a secue VDI capability to the
>> jumpbox over a vpn is yet a third way...;).
>>
>> my rule: if it's exposed to the net, it's potentially vulnerable.
>> Just turn on your SIP port and pop some popcorn to see...;)
>>
>> --
>> Bryan
>> Sent from my iPhone 5...No electrons were harmed in the sending of
>> this message.
>>
>>
>>
>>
>>
>> On Oct 5, 2015, at 17:39, Steven Donegan <donegan at donegan.org
>> <mailto:donegan at donegan.org>> wrote:
>>
>>> Direct root login being disallowed IF there were no other way to get
>>> full root privileges (not the case here) was considered best
>>> practice. However in almost every case there is a user (on Raspbian
>>> user pi) that can simply login, sudo -s and do whatever they want.
>>> Yes it puts up a small hurdle but I don't see it as a serious one.
>>>
>>> In short, there is almost no setup that will allow you to completely
>>> lock out root with the exception of a few well designed appliances.
>>> And that means someone is out there doing support to get things
>>> resolved. This system is not of that flavor and root is necessary
>>> for many things so frankly adding a hurdle or two really doesn't
>>> appreciably make the system more secure.
>>>
>>> Require a long pass phrase (say 20 mixed characters or so) and this
>>> whole thing is moot...
>>>
>>> And BTW - putting sshd on port 222 (or anything except 22) is
>>> security by obscurity - many tools can find standard protocols on
>>> non-standard ports :-) (I know, I wrote one)
>>>
>>> The best bet is to not allow ssh at all. If that is not feasible
>>> then do the su or sudo thing and/or set up an intermediate system
>>> such that you access a non-privileged account on system A, then ssh
>>> to system B and system B will ONLY accept ssh from system A. Still
>>> can be beaten but it is a bit harder...
>>>
>>> And BTW - I have done infosec for about 20 years so I am allowed to
>>> have an opinion on this topic :-)
>>> Steven Donegan
>>> KK6IVC General Class FCC License
>>> Silver State Car #86
>>> www.sscc.us <http://www.sscc.us/>
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Steve Zingman <szingman at msgstor.com
>>> <mailto:szingman at msgstor.com>>
>>> *To:* "app_rpt-users at ohnosec.org <mailto:app_rpt-users at ohnosec.org>"
>>> <app_rpt-users at ohnosec.org <mailto:app_rpt-users at ohnosec.org>>
>>> *Sent:* Monday, October 5, 2015 2:24 PM
>>> *Subject:* [App_rpt-users] New Official Allstar Distribution
>>> Released (DIAL)
>>>
>>> Dave,
>>> Let's say I agree with you. And I well may.
>>> On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN.
>>> I agree is common practice to not allow it.
>>> Now the question is why?
>>>
>>> As John McLaughlin would say, DISCUSS!
>>>
>>> On 10/05/2015 08:40 AM, Steve Zingman wrote:
>>> >/root login via SSH is now allowed /
>>> > This is a bad idea. Root should *never* be allowed to login to a system
>>> > remotely. It's better to log in as a normal user and then become root
>>> > via su, sudo, etc.
>>>
>>> > - Dave
>>>
>>>
>>>
>>> --
>>> "Anything is possible if you don't know what you are talking about."
>>> 1st Law of Logic
>>>
>>>
>>>
>>> _______________________________________________
>>> App_rpt-users mailing list
>>> App_rpt-users at ohnosec.org <mailto:App_rpt-users at ohnosec.org>
>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>>
>>> To unsubscribe from this list please visit
>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll
>>> down to the bottom of the page. Enter your email address and press
>>> the "Unsubscribe or edit options button"
>>> You do not need a password to unsubscribe, you can do it via email
>>> confirmation. If you have trouble unsubscribing, please send a
>>> message to the list detailing the problem.
>>>
>>>
>>> _______________________________________________
>>> App_rpt-users mailing list
>>> App_rpt-users at ohnosec.org <mailto:App_rpt-users at ohnosec.org>
>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>>
>>> To unsubscribe from this list please visit
>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll
>>> down to the bottom of the page. Enter your email address and press
>>> the "Unsubscribe or edit options button"
>>> You do not need a password to unsubscribe, you can do it via email
>>> confirmation. If you have trouble unsubscribing, please send a
>>> message to the list detailing the problem.
>>
>>
>> _______________________________________________
>> App_rpt-users mailing list
>> App_rpt-users at ohnosec.org <mailto:App_rpt-users at ohnosec.org>
>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>
>> To unsubscribe from this list please visithttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
>> You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
>
>
>
>
>
> _______________________________________________
> App_rpt-users mailing list
> App_rpt-users at ohnosec.org
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>
> To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
> You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
--
"Anything is possible if you don't know what you are talking about."
1st Law of Logic
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.keekles.org/pipermail/app_rpt-users/attachments/20151005/2fe9a516/attachment.html>
More information about the App_rpt-users
mailing list