[App_rpt-users] Node security

Steven Donegan donegan at donegan.org
Mon Oct 5 23:43:29 UTC 2015


5038 is asterisk management port - I would suggest for hardening that 222 (whatever port is selected for ssh) and 4569 be firewalled tightly and 5038 kept totally local. But this is all food for further discussion :-)
Not having a currently running Debian system handy - does it use iptables or firewalld? I have set up both in a scripted fashion before.
 Steven Donegan
KK6IVC General Class FCC License
Silver State Car #86
www.sscc.us
      From: Steve Zingman <szingman at msgstor.com>
 To: Steven Donegan <donegan at donegan.org> 
Cc: "app_rpt-users at ohnosec.org" <app_rpt-users at ohnosec.org> 
 Sent: Monday, October 5, 2015 4:38 PM
 Subject: Node security
   
 As of right now it's listening to 222 and 5038 on 127.0.0.1 TCP
 and 4569 on UDP.
 
 That's all.
 
 

On 10/05/2015 07:15 PM, Steven Donegan wrote:
  
  Let me spin up one of the DIAL setups - may take me a day - then see what is enabled by default and hardening will be 'easy' (no processes/ports active not absolutely required). Adding the CA stuff will be easy as well if desired. Whatever the overall direction is I can do security stuff :-)
     Steven Donegan
 KK6IVC General Class FCC License
 Silver State Car #86
 www.sscc.us 
      From: Steve Zingman <szingman at msgstor.com>
 To: Steven Donegan <donegan at donegan.org>; David Andrzejewski <david at davidandrzejewski.com> 
 Cc: "app_rpt-users at ohnosec.org" <app_rpt-users at ohnosec.org> 
 Sent: Monday, October 5, 2015 4:04 PM
 Subject: Re: [App_rpt-users] New Official Allstar Distribution Released (DIAL)
   
   Sure,
 I think a hardening script might be in order (and optional).
 
 
 
   On 10/05/2015 06:55 PM, Steven Donegan wrote:
  
 BTW - I have a script to make a *NIX box a CA and generate certificates - that could easily be added to the DIAL/Pi/etc releases - let me see if I can scrounge it up :-) Assuming anyone would want that ability and Steve is OK with it :-)
    Steven Donegan
 KK6IVC General Class FCC License
 Silver State Car #86
 www.sscc.us 
      From: David Andrzejewski <david at davidandrzejewski.com>
 To: Steven Donegan <donegan at donegan.org> 
 Cc: Bryan D. Boyle <bdboyle at bdboyle.com>; "app_rpt-users at ohnosec.org" <app_rpt-users at ohnosec.org> 
 Sent: Monday, October 5, 2015 3:50 PM
 Subject: Re: [App_rpt-users] New Official Allstar Distribution Released (DIAL)
   
  Yep - disallowing keyboard-interactive and accepting only certificates.  I turn off PermitRootLogin and only allow certificates.  Barring some kind of exploit in sshd, that ought to be secure enough.
 
 Steven Donegan wrote:
 
 
 
   Using certificates for ssh is yet another method :-) 
    Steven Donegan
 KK6IVC General Class FCC License
 Silver State Car #86
 www.sscc.us 
      From: Bryan D. Boyle <bdboyle at bdboyle.com>
 To: Steven Donegan <donegan at donegan.org> 
 Cc: Steve Zingman <szingman at msgstor.com>; "app_rpt-users at ohnosec.org" <app_rpt-users at ohnosec.org> 
 Sent: Monday, October 5, 2015 2:49 PM
 Subject: Re: [App_rpt-users] New Official Allstar  Distribution Released (DIAL)
   
   Using a jump box as you describe is one  way...not allowing SSH from the outside adds a layer;  setting up a secue VDI capability to  the jumpbox over a vpn is yet a third way...;).  
  my rule: if it's exposed to the net,  it's potentially vulnerable.  Just turn on your SIP port and pop some  popcorn to see...;)
 
 -- Bryan Sent from my iPhone 5...No electrons were harmed in the  sending of this message. 
 
    
 
   
 On Oct 5, 2015, at 17:39, Steven  Donegan <donegan at donegan.org> wrote:
 
  
   Direct root login being  disallowed IF there were no other way to  get full root privileges  (not the case here) was considered  best practice. However in  almost every case there is a user (on  Raspbian user pi) that can  simply login, sudo -s and do whatever they  want. Yes it puts up a small hurdle but I don't see it as a  serious one. 
  In short, there is almost no  setup that will allow you to completely lock out root with the  exception of a few well designed  appliances. And that means  someone is out there doing support to get  things resolved. This  system is not of that flavor and root is  necessary for many things so  frankly adding a hurdle or two really  doesn't appreciably make the  system more secure. 
  Require a long pass phrase (say 20  mixed characters or so) and this  whole thing is moot... 
  And BTW - putting sshd on port  222 (or anything except 22) is  security by obscurity -  many tools can find standard protocols on  non-standard ports :-) (I  know, I wrote one)
  
  The best bet is to not allow ssh  at all. If that is not feasible then do the su or sudo thing  and/or set up an intermediate  system such that you access a non-privileged account on  system A, then ssh to system B and system B will ONLY accept ssh  from system A. Still can be beaten but it is a bit harder... 
  And BTW - I have done infosec  for about 20 years so I am allowed to  have an opinion on  this topic :-)
     Steven Donegan
 KK6IVC General Class FCC  License
 Silver State Car #86
 www.sscc.us 
      From: Steve Zingman <szingman at msgstor.com>
 To: "app_rpt-users at ohnosec.org" <app_rpt-users at ohnosec.org> 
 Sent: Monday, October 5,  2015 2:24 PM
 Subject: [App_rpt-users] New Official  Allstar Distribution Released  (DIAL)
   
     Dave,
Let's say I agree with you. And I well may.
On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN. 
I agree is common practice to not allow it.
Now the question is why?

As John McLaughlin would say, DISCUSS!

On 10/05/2015 08:40 AM, Steve Zingman wrote:
> root login via SSH is now allowed

> This is a bad idea.  Root should *never* be allowed to login to a system 
> remotely.  It's better to log in as a normal user and then become root 
> via su, sudo, etc.

> - Dave


 
 -- 
"Anything is possible if you don't know what you are talking about."
1st Law of Logic 
 
      
 _______________________________________________
 App_rpt-users mailing list
 App_rpt-users at ohnosec.org
 http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
 
 To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email  address and press the "Unsubscribe or edit options button"
 You do not need a password to unsubscribe, you can do it  via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.  
 
      
  
 _______________________________________________
 App_rpt-users mailing list
 App_rpt-users at ohnosec.org
 http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
 
 To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and  press the "Unsubscribe or edit options button"
 You do not need a password to unsubscribe, you can do it via email confirmation. If  you have trouble unsubscribing, please send a message to the list detailing  the problem.  
   
 
      _______________________________________________
App_rpt-users mailing list
App_rpt-users at ohnosec.org
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.  
 
   
 
     
  
 _______________________________________________
App_rpt-users mailing list
App_rpt-users at ohnosec.org
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.  
  
 -- 
"Anything is possible if you don't know what you are talking about."
1st Law of Logic   
 
     
 
 -- 
"Anything is possible if you don't know what you are talking about."
1st Law of Logic 

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.keekles.org/pipermail/app_rpt-users/attachments/20151005/f60858f6/attachment.html>


More information about the App_rpt-users mailing list