[App_rpt-users] New Official Allstar Distribution Released (DIAL)

REDBUTTON_CTRL jrorke at cogeco.ca
Mon Oct 5 23:02:15 UTC 2015 

Lets remember the root access is only enabled by default, and when you 
have you node configured then disable root access. Other roip/voip 
systems recommend this.

I agree its a good idea to not expose the servers to the throbbing 
viruses waiting to attack us out side our routers.

But lets not make it so locked down that us non-linux gurus cant get in.

And if you do, please make a howto for us leser types so we can continue 
to enjoy or Allstar nodes!

Thanks for the efforts!

Jon VA3RQ

On 10/5/2015 7:04 PM, Steve Zingman wrote:
> Sure,
> I think a hardening script might be in order (and optional).
>
> On 10/05/2015 06:55 PM, Steven Donegan wrote:
>> BTW - I have a script to make a *NIX box a CA and generate 
>> certificates - that could easily be added to the DIAL/Pi/etc releases 
>> - let me see if I can scrounge it up :-) Assuming anyone would want 
>> that ability and Steve is OK with it :-)
>> Steven Donegan
>> KK6IVC General Class FCC License
>> Silver State Car #86
>> www.sscc.us
>>
>> ------------------------------------------------------------------------
>> *From:* David Andrzejewski <david at davidandrzejewski.com>
>> *To:* Steven Donegan <donegan at donegan.org>
>> *Cc:* Bryan D. Boyle <bdboyle at bdboyle.com>; 
>> "app_rpt-users at ohnosec.org" <app_rpt-users at ohnosec.org>
>> *Sent:* Monday, October 5, 2015 3:50 PM
>> *Subject:* Re: [App_rpt-users] New Official Allstar Distribution 
>> Released (DIAL)
>>
>> Yep - disallowing keyboard-interactive and accepting only 
>> certificates.  I turn off PermitRootLogin and only allow 
>> certificates.  Barring some kind of exploit in sshd, that ought to be 
>> secure enough.
>>
>> Steven Donegan wrote:
>>>
>>>
>>> Using certificates for ssh is yet another method :-)
>>> Steven Donegan
>>> KK6IVC General Class FCC License
>>> Silver State Car #86
>>> www.sscc.us <http://www.sscc.us/>
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Bryan D. Boyle <bdboyle at bdboyle.com>
>>> *To:* Steven Donegan <donegan at donegan.org>
>>> *Cc:* Steve Zingman <szingman at msgstor.com> 
>>> <mailto:szingman at msgstor.com>; "app_rpt-users at ohnosec.org" 
>>> <mailto:app_rpt-users at ohnosec.org> <app_rpt-users at ohnosec.org> 
>>> <mailto:app_rpt-users at ohnosec.org>
>>> *Sent:* Monday, October 5, 2015 2:49 PM
>>> *Subject:* Re: [App_rpt-users] New Official Allstar Distribution 
>>> Released (DIAL)
>>>
>>> Using a jump box as you describe is one way...not allowing SSH from 
>>> the outside adds a layer; setting up a secue VDI capability to the 
>>> jumpbox over a vpn is yet a third way...;).
>>>
>>> my rule: if it's exposed to the net, it's potentially vulnerable. 
>>>  Just turn on your SIP port and pop some popcorn to see...;)
>>>
>>> -- 
>>> Bryan
>>> Sent from my iPhone 5...No electrons were harmed in the sending of 
>>> this message.
>>>
>>>
>>>
>>>
>>>
>>> On Oct 5, 2015, at 17:39, Steven Donegan <donegan at donegan.org> wrote:
>>>
>>>> Direct root login being disallowed IF there were no other way to 
>>>> get full root privileges (not the case here) was considered best 
>>>> practice. However in almost every case there is a user (on Raspbian 
>>>> user pi) that can simply login, sudo -s and do whatever they want. 
>>>> Yes it puts up a small hurdle but I don't see it as a serious one.
>>>>
>>>> In short, there is almost no setup that will allow you to 
>>>> completely lock out root with the exception of a few well designed 
>>>> appliances. And that means someone is out there doing support to 
>>>> get things resolved. This system is not of that flavor and root is 
>>>> necessary for many things so frankly adding a hurdle or two really 
>>>> doesn't appreciably make the system more secure.
>>>>
>>>> Require a long pass phrase (say 20 mixed characters or so) and this 
>>>> whole thing is moot...
>>>>
>>>> And BTW - putting sshd on port 222 (or anything except 22) is 
>>>> security by obscurity - many tools can find standard protocols on 
>>>> non-standard ports :-) (I know, I wrote one)
>>>>
>>>> The best bet is to not allow ssh at all. If that is not feasible 
>>>> then do the su or sudo thing and/or set up an intermediate system 
>>>> such that you access a non-privileged account on system A, then ssh 
>>>> to system B and system B will ONLY accept ssh from system A. Still 
>>>> can be beaten but it is a bit harder...
>>>>
>>>> And BTW - I have done infosec for about 20 years so I am allowed to 
>>>> have an opinion on this topic :-)
>>>> Steven Donegan
>>>> KK6IVC General Class FCC License
>>>> Silver State Car #86
>>>> www.sscc.us <http://www.sscc.us/>
>>>>
>>>> ------------------------------------------------------------------------
>>>> *From:* Steve Zingman <szingman at msgstor.com>
>>>> *To:* "app_rpt-users at ohnosec.org" <app_rpt-users at ohnosec.org>
>>>> *Sent:* Monday, October 5, 2015 2:24 PM
>>>> *Subject:* [App_rpt-users] New Official Allstar Distribution 
>>>> Released (DIAL)
>>>>
>>>> Dave,
>>>> Let's say I agree with you. And I well may.
>>>> On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN.
>>>> I agree is common practice to not allow it.
>>>> Now the question is why?
>>>>
>>>> As John McLaughlin would say, DISCUSS!
>>>>
>>>> On 10/05/2015 08:40 AM, Steve Zingman wrote:
>>>> >/  root login via SSH is now allowed
>>>> /
>>>> >  This is a bad idea.  Root should *never* be allowed to login to a system
>>>> >  remotely.  It's better to log in as a normal user and then become root
>>>> >  via su, sudo, etc.
>>>>
>>>> >  - Dave
>>>>
>>>>
>>>>
>>>> -- 
>>>> "Anything is possible if you don't know what you are talking about."
>>>> 1st Law of Logic
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> App_rpt-users mailing list
>>>> App_rpt-users at ohnosec.org
>>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>>>
>>>> To unsubscribe from this list please visit 
>>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and 
>>>> scroll down to the bottom of the page. Enter your email address and 
>>>> press the "Unsubscribe or edit options button"
>>>> You do not need a password to unsubscribe, you can do it via email 
>>>> confirmation. If you have trouble unsubscribing, please send a 
>>>> message to the list detailing the problem.
>>>>
>>>>
>>>> _______________________________________________
>>>> App_rpt-users mailing list
>>>> App_rpt-users at ohnosec.org <mailto:App_rpt-users at ohnosec.org>
>>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>>>
>>>> To unsubscribe from this list please visit 
>>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and 
>>>> scroll down to the bottom of the page. Enter your email address and 
>>>> press the "Unsubscribe or edit options button"
>>>> You do not need a password to unsubscribe, you can do it via email 
>>>> confirmation. If you have trouble unsubscribing, please send a 
>>>> message to the list detailing the problem.
>>>
>>>
>>> _______________________________________________
>>> App_rpt-users mailing list
>>> App_rpt-users at ohnosec.org  <mailto:App_rpt-users at ohnosec.org>
>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>>
>>> To unsubscribe from this list please visithttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users  and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
>>> You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
>>
>>
>>
>>
>>
>> _______________________________________________
>> App_rpt-users mailing list
>> App_rpt-users at ohnosec.org
>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>
>> To unsubscribe from this list please visithttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users  and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
>> You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
>
> -- 
> "Anything is possible if you don't know what you are talking about."
> 1st Law of Logic
>
>
> _______________________________________________
> App_rpt-users mailing list
> App_rpt-users at ohnosec.org
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>
> To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
> You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.keekles.org/pipermail/app_rpt-users/attachments/20151005/4eb4ab30/attachment.html>

More information about the App_rpt-users mailing list