[App_rpt-users] New Official Allstar Distribution Released (DIAL)

Tue Oct 6 02:06:29 UTC 2015

Certificates, two-factor authentication and something like ssh-guard set
to block on the first three attempts with a really really long block
threshold. 

Stacy
KG7QIN

On 10/05/2015 02:57 PM, Steven Donegan wrote:
> Using certificates for ssh is yet another method :-)
>  
> Steven Donegan
> KK6IVC General Class FCC License
> Silver State Car #86
> www.sscc.us
>
> ------------------------------------------------------------------------
> *From:* Bryan D. Boyle <bdboyle at bdboyle.com>
> *To:* Steven Donegan <donegan at donegan.org>
> *Cc:* Steve Zingman <szingman at msgstor.com>;
> "app_rpt-users at ohnosec.org" <app_rpt-users at ohnosec.org>
> *Sent:* Monday, October 5, 2015 2:49 PM
> *Subject:* Re: [App_rpt-users] New Official Allstar Distribution
> Released (DIAL)
>
> Using a jump box as you describe is one way...not allowing SSH from
> the outside adds a layer; setting up a secue VDI capability to the
> jumpbox over a vpn is yet a third way...;). 
>
> my rule: if it's exposed to the net, it's potentially vulnerable.
>  Just turn on your SIP port and pop some popcorn to see...;)
>
> -- 
> Bryan
> Sent from my iPhone 5...No electrons were harmed in the sending of
> this message.
>
>
>
>
>
> On Oct 5, 2015, at 17:39, Steven Donegan <donegan at donegan.org
> <mailto:donegan at donegan.org>> wrote:
>
>> Direct root login being disallowed IF there were no other way to get
>> full root privileges (not the case here) was considered best
>> practice. However in almost every case there is a user (on Raspbian
>> user pi) that can simply login, sudo -s and do whatever they want.
>> Yes it puts up a small hurdle but I don't see it as a serious one.
>>
>> In short, there is almost no setup that will allow you to completely
>> lock out root with the exception of a few well designed appliances.
>> And that means someone is out there doing support to get things
>> resolved. This system is not of that flavor and root is necessary for
>> many things so frankly adding a hurdle or two really doesn't
>> appreciably make the system more secure.
>>
>> Require a long pass phrase (say 20 mixed characters or so) and this
>> whole thing is moot...
>>
>> And BTW - putting sshd on port 222 (or anything except 22) is
>> security by obscurity - many tools can find standard protocols on
>> non-standard ports :-) (I know, I wrote one)
>>
>> The best bet is to not allow ssh at all. If that is not feasible then
>> do the su or sudo thing and/or set up an intermediate system such
>> that you access a non-privileged account on system A, then ssh to
>> system B and system B will ONLY accept ssh from system A. Still can
>> be beaten but it is a bit harder...
>>
>> And BTW - I have done infosec for about 20 years so I am allowed to
>> have an opinion on this topic :-)
>>  
>> Steven Donegan
>> KK6IVC General Class FCC License
>> Silver State Car #86
>> www.sscc.us <http://www.sscc.us/>
>>
>> ------------------------------------------------------------------------
>> *From:* Steve Zingman <szingman at msgstor.com
>> <mailto:szingman at msgstor.com>>
>> *To:* "app_rpt-users at ohnosec.org <mailto:app_rpt-users at ohnosec.org>"
>> <app_rpt-users at ohnosec.org <mailto:app_rpt-users at ohnosec.org>>
>> *Sent:* Monday, October 5, 2015 2:24 PM
>> *Subject:* [App_rpt-users] New Official Allstar Distribution Released
>> (DIAL)
>>
>> Dave,
>> Let's say I agree with you. And I well may.
>> On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN. 
>> I agree is common practice to not allow it.
>> Now the question is why?
>>
>> As John McLaughlin would say, DISCUSS!
>>
>> On 10/05/2015 08:40 AM, Steve Zingman wrote:
>> >/root login via SSH is now allowed /
>> > This is a bad idea.  Root should *never* be allowed to login to a system 
>> > remotely.  It's better to log in as a normal user and then become root 
>> > via su, sudo, etc.
>>
>> > - Dave
>>
>>
>>
>> -- 
>> "Anything is possible if you don't know what you are talking about."
>> 1st Law of Logic
>>
>>
>>
>> _______________________________________________
>> App_rpt-users mailing list
>> App_rpt-users at ohnosec.org <mailto:App_rpt-users at ohnosec.org>
>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>
>> To unsubscribe from this list please visit
>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll
>> down to the bottom of the page. Enter your email address and press
>> the "Unsubscribe or edit options button"
>> You do not need a password to unsubscribe, you can do it via email
>> confirmation. If you have trouble unsubscribing, please send a
>> message to the list detailing the problem.
>>
>>
>> _______________________________________________
>> App_rpt-users mailing list
>> App_rpt-users at ohnosec.org <mailto:App_rpt-users at ohnosec.org>
>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>
>> To unsubscribe from this list please visit
>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll
>> down to the bottom of the page. Enter your email address and press
>> the "Unsubscribe or edit options button"
>> You do not need a password to unsubscribe, you can do it via email
>> confirmation. If you have trouble unsubscribing, please send a
>> message to the list detailing the problem.
>
>
>
>
> _______________________________________________
> App_rpt-users mailing list
> App_rpt-users at ohnosec.org
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>
> To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
> You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.keekles.org/pipermail/app_rpt-users/attachments/20151005/354f03c0/attachment.html>