[App_rpt-users] Node security

Steve Zingman szingman at msgstor.com
Mon Oct 5 23:38:28 UTC 2015


As of right now it's listening to 222 and 5038 on 127.0.0.1 TCP
and 4569 on UDP.

That's all.

On 10/05/2015 07:15 PM, Steven Donegan wrote:
> Let me spin up one of the DIAL setups - may take me a day - then see 
> what is enabled by default and hardening will be 'easy' (no 
> processes/ports active not absolutely required). Adding the CA stuff 
> will be easy as well if desired. Whatever the overall direction is I 
> can do security stuff :-)
> Steven Donegan
> KK6IVC General Class FCC License
> Silver State Car #86
> www.sscc.us
>
> ------------------------------------------------------------------------
> *From:* Steve Zingman <szingman at msgstor.com>
> *To:* Steven Donegan <donegan at donegan.org>; David Andrzejewski 
> <david at davidandrzejewski.com>
> *Cc:* "app_rpt-users at ohnosec.org" <app_rpt-users at ohnosec.org>
> *Sent:* Monday, October 5, 2015 4:04 PM
> *Subject:* Re: [App_rpt-users] New Official Allstar Distribution 
> Released (DIAL)
>
> Sure,
> I think a hardening script might be in order (and optional).
>
>
>
> On 10/05/2015 06:55 PM, Steven Donegan wrote:
>> BTW - I have a script to make a *NIX box a CA and generate 
>> certificates - that could easily be added to the DIAL/Pi/etc releases 
>> - let me see if I can scrounge it up :-) Assuming anyone would want 
>> that ability and Steve is OK with it :-)
>> Steven Donegan
>> KK6IVC General Class FCC License
>> Silver State Car #86
>> www.sscc.us <http://www.sscc.us/>
>>
>> ------------------------------------------------------------------------
>> *From:* David Andrzejewski <david at davidandrzejewski.com> 
>> <mailto:david at davidandrzejewski.com>
>> *To:* Steven Donegan <donegan at donegan.org> <mailto:donegan at donegan.org>
>> *Cc:* Bryan D. Boyle <bdboyle at bdboyle.com> 
>> <mailto:bdboyle at bdboyle.com>; "app_rpt-users at ohnosec.org" 
>> <mailto:app_rpt-users at ohnosec.org> <app_rpt-users at ohnosec.org> 
>> <mailto:app_rpt-users at ohnosec.org>
>> *Sent:* Monday, October 5, 2015 3:50 PM
>> *Subject:* Re: [App_rpt-users] New Official Allstar Distribution 
>> Released (DIAL)
>>
>> Yep - disallowing keyboard-interactive and accepting only 
>> certificates.  I turn off PermitRootLogin and only allow 
>> certificates.  Barring some kind of exploit in sshd, that ought to be 
>> secure enough.
>>
>> Steven Donegan wrote:
>>>
>>>
>>> Using certificates for ssh is yet another method :-)
>>> Steven Donegan
>>> KK6IVC General Class FCC License
>>> Silver State Car #86
>>> www.sscc.us <http://www.sscc.us/>
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Bryan D. Boyle <bdboyle at bdboyle.com> 
>>> <mailto:bdboyle at bdboyle.com>
>>> *To:* Steven Donegan <donegan at donegan.org> <mailto:donegan at donegan.org>
>>> *Cc:* Steve Zingman <szingman at msgstor.com> 
>>> <mailto:szingman at msgstor.com>; "app_rpt-users at ohnosec.org" 
>>> <mailto:app_rpt-users at ohnosec.org> <app_rpt-users at ohnosec.org> 
>>> <mailto:app_rpt-users at ohnosec.org>
>>> *Sent:* Monday, October 5, 2015 2:49 PM
>>> *Subject:* Re: [App_rpt-users] New Official Allstar Distribution 
>>> Released (DIAL)
>>>
>>> Using a jump box as you describe is one way...not allowing SSH from 
>>> the outside adds a layer; setting up a secue VDI capability to the 
>>> jumpbox over a vpn is yet a third way...;).
>>>
>>> my rule: if it's exposed to the net, it's potentially vulnerable. 
>>>  Just turn on your SIP port and pop some popcorn to see...;)
>>>
>>> -- 
>>> Bryan
>>> Sent from my iPhone 5...No electrons were harmed in the sending of 
>>> this message.
>>>
>>>
>>>
>>>
>>>
>>> On Oct 5, 2015, at 17:39, Steven Donegan <donegan at donegan.org 
>>> <mailto:donegan at donegan.org>> wrote:
>>>
>>>> Direct root login being disallowed IF there were no other way to 
>>>> get full root privileges (not the case here) was considered best 
>>>> practice. However in almost every case there is a user (on Raspbian 
>>>> user pi) that can simply login, sudo -s and do whatever they want. 
>>>> Yes it puts up a small hurdle but I don't see it as a serious one.
>>>>
>>>> In short, there is almost no setup that will allow you to 
>>>> completely lock out root with the exception of a few well designed 
>>>> appliances. And that means someone is out there doing support to 
>>>> get things resolved. This system is not of that flavor and root is 
>>>> necessary for many things so frankly adding a hurdle or two really 
>>>> doesn't appreciably make the system more secure.
>>>>
>>>> Require a long pass phrase (say 20 mixed characters or so) and this 
>>>> whole thing is moot...
>>>>
>>>> And BTW - putting sshd on port 222 (or anything except 22) is 
>>>> security by obscurity - many tools can find standard protocols on 
>>>> non-standard ports :-) (I know, I wrote one)
>>>>
>>>> The best bet is to not allow ssh at all. If that is not feasible 
>>>> then do the su or sudo thing and/or set up an intermediate system 
>>>> such that you access a non-privileged account on system A, then ssh 
>>>> to system B and system B will ONLY accept ssh from system A. Still 
>>>> can be beaten but it is a bit harder...
>>>>
>>>> And BTW - I have done infosec for about 20 years so I am allowed to 
>>>> have an opinion on this topic :-)
>>>> Steven Donegan
>>>> KK6IVC General Class FCC License
>>>> Silver State Car #86
>>>> www.sscc.us <http://www.sscc.us/>
>>>>
>>>> ------------------------------------------------------------------------
>>>> *From:* Steve Zingman <szingman at msgstor.com 
>>>> <mailto:szingman at msgstor.com>>
>>>> *To:* "app_rpt-users at ohnosec.org 
>>>> <mailto:app_rpt-users at ohnosec.org>" <app_rpt-users at ohnosec.org 
>>>> <mailto:app_rpt-users at ohnosec.org>>
>>>> *Sent:* Monday, October 5, 2015 2:24 PM
>>>> *Subject:* [App_rpt-users] New Official Allstar Distribution 
>>>> Released (DIAL)
>>>>
>>>> Dave,
>>>> Let's say I agree with you. And I well may.
>>>> On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN.
>>>> I agree is common practice to not allow it.
>>>> Now the question is why?
>>>>
>>>> As John McLaughlin would say, DISCUSS!
>>>>
>>>> On 10/05/2015 08:40 AM, Steve Zingman wrote:
>>>> >/root login via SSH is now allowed /
>>>> > This is a bad idea.  Root should *never* be allowed to login to a system
>>>> > remotely.  It's better to log in as a normal user and then become root
>>>> > via su, sudo, etc.
>>>>
>>>> > - Dave
>>>>
>>>>
>>>>
>>>> -- 
>>>> "Anything is possible if you don't know what you are talking about."
>>>> 1st Law of Logic
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> App_rpt-users mailing list
>>>> App_rpt-users at ohnosec.org <mailto:App_rpt-users at ohnosec.org>
>>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>>>
>>>> To unsubscribe from this list please visit 
>>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and 
>>>> scroll down to the bottom of the page. Enter your email address and 
>>>> press the "Unsubscribe or edit options button"
>>>> You do not need a password to unsubscribe, you can do it via email 
>>>> confirmation. If you have trouble unsubscribing, please send a 
>>>> message to the list detailing the problem.
>>>>
>>>>
>>>> _______________________________________________
>>>> App_rpt-users mailing list
>>>> App_rpt-users at ohnosec.org <mailto:App_rpt-users at ohnosec.org>
>>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>>>
>>>> To unsubscribe from this list please visit 
>>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and 
>>>> scroll down to the bottom of the page. Enter your email address and 
>>>> press the "Unsubscribe or edit options button"
>>>> You do not need a password to unsubscribe, you can do it via email 
>>>> confirmation. If you have trouble unsubscribing, please send a 
>>>> message to the list detailing the problem.
>>>
>>>
>>> _______________________________________________
>>> App_rpt-users mailing list
>>> App_rpt-users at ohnosec.org <mailto:App_rpt-users at ohnosec.org>
>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>>
>>> To unsubscribe from this list please visithttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users  and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
>>> You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
>>
>>
>>
>>
>>
>> _______________________________________________
>> App_rpt-users mailing list
>> App_rpt-users at ohnosec.org <mailto:App_rpt-users at ohnosec.org>
>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>
>> To unsubscribe from this list please visithttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users  and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
>> You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
>
> -- 
> "Anything is possible if you don't know what you are talking about."
> 1st Law of Logic
>
>

-- 
"Anything is possible if you don't know what you are talking about."
1st Law of Logic

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.keekles.org/pipermail/app_rpt-users/attachments/20151005/bf1dd7ef/attachment.html>


More information about the App_rpt-users mailing list