[App_rpt-users] New Official Allstar Distribution Released (DIAL)

Loren Tedford lorentedford at gmail.com
Tue Oct 6 02:30:35 UTC 2015


Personally I use Fail2ban


Loren Tedford (KC9ZHV)
Email: lorentedford at gmail.com
Main Line:1-631-686-8878 Option 1 for Loren.
Fax Line 1:1-618-551-2755
Fax Line 2:1-631-686-8892 (New Fax line)
Cell: 618-553-0806
http://www.lorentedford.com
http://www.kc9zhv.com
http://hub.kc9zhv.com

On Mon, Oct 5, 2015 at 9:06 PM, Stacy <kg7qin at arrl.net> wrote:

> Certificates, two-factor authentication and something like ssh-guard set
> to block on the first three attempts with a really really long block
> threshold.
>
> Stacy
> KG7QIN
>
>
> On 10/05/2015 02:57 PM, Steven Donegan wrote:
>
> Using certificates for ssh is yet another method :-)
>
> Steven Donegan
> KK6IVC General Class FCC License
> Silver State Car #86
> www.sscc.us
>
> ------------------------------
> *From:* Bryan D. Boyle <bdboyle at bdboyle.com> <bdboyle at bdboyle.com>
> *To:* Steven Donegan <donegan at donegan.org> <donegan at donegan.org>
> *Cc:* Steve Zingman <szingman at msgstor.com> <szingman at msgstor.com>;
> "app_rpt-users at ohnosec.org" <app_rpt-users at ohnosec.org>
> <app_rpt-users at ohnosec.org> <app_rpt-users at ohnosec.org>
> *Sent:* Monday, October 5, 2015 2:49 PM
> *Subject:* Re: [App_rpt-users] New Official Allstar Distribution Released
> (DIAL)
>
> Using a jump box as you describe is one way...not allowing SSH from the
> outside adds a layer; setting up a secue VDI capability to the jumpbox over
> a vpn is yet a third way...;).
>
> my rule: if it's exposed to the net, it's potentially vulnerable.  Just
> turn on your SIP port and pop some popcorn to see...;)
>
> --
> Bryan
> Sent from my iPhone 5...No electrons were harmed in the sending of this
> message.
>
>
>
>
>
> On Oct 5, 2015, at 17:39, Steven Donegan < <donegan at donegan.org>
> donegan at donegan.org> wrote:
>
> Direct root login being disallowed IF there were no other way to get full
> root privileges (not the case here) was considered best practice. However
> in almost every case there is a user (on Raspbian user pi) that can simply
> login, sudo -s and do whatever they want. Yes it puts up a small hurdle but
> I don't see it as a serious one.
>
> In short, there is almost no setup that will allow you to completely lock
> out root with the exception of a few well designed appliances. And that
> means someone is out there doing support to get things resolved. This
> system is not of that flavor and root is necessary for many things so
> frankly adding a hurdle or two really doesn't appreciably make the system
> more secure.
>
> Require a long pass phrase (say 20 mixed characters or so) and this whole
> thing is moot...
>
> And BTW - putting sshd on port 222 (or anything except 22) is security by
> obscurity - many tools can find standard protocols on non-standard ports
> :-) (I know, I wrote one)
>
> The best bet is to not allow ssh at all. If that is not feasible then do
> the su or sudo thing and/or set up an intermediate system such that you
> access a non-privileged account on system A, then ssh to system B and
> system B will ONLY accept ssh from system A. Still can be beaten but it is
> a bit harder...
>
> And BTW - I have done infosec for about 20 years so I am allowed to have
> an opinion on this topic :-)
>
> Steven Donegan
> KK6IVC General Class FCC License
> Silver State Car #86
> www.sscc.us
>
> ------------------------------
> *From:* Steve Zingman < <szingman at msgstor.com>szingman at msgstor.com>
> *To:* "app_rpt-users at ohnosec.org" <app_rpt-users at ohnosec.org>
> *Sent:* Monday, October 5, 2015 2:24 PM
> *Subject:* [App_rpt-users] New Official Allstar Distribution Released
> (DIAL)
>
> Dave,
> Let's say I agree with you. And I well may.
> On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN.
> I agree is common practice to not allow it.
> Now the question is why?
>
> As John McLaughlin would say, DISCUSS!
>
> On 10/05/2015 08:40 AM, Steve Zingman wrote:
> >* root login via SSH is now allowed
> *
> > This is a bad idea.  Root should *never* be allowed to login to a system
> > remotely.  It's better to log in as a normal user and then become root
> > via su, sudo, etc.
>
> > - Dave
>
>
>
>
> --
> "Anything is possible if you don't know what you are talking about."
> 1st Law of Logic
>
>
>
>
> _______________________________________________
> App_rpt-users mailing list
> App_rpt-users at ohnosec.org
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>
> To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
> and scroll down to the bottom of the page. Enter your email address and
> press the "Unsubscribe or edit options button"
> You do not need a password to unsubscribe, you can do it via email
> confirmation. If you have trouble unsubscribing, please send a message to
> the list detailing the problem.
>
>
> _______________________________________________
> App_rpt-users mailing list
> App_rpt-users at ohnosec.org
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>
> To unsubscribe from this list please visit
> <http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users>
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down
> to the bottom of the page. Enter your email address and press the
> "Unsubscribe or edit options button"
> You do not need a password to unsubscribe, you can do it via email
> confirmation. If you have trouble unsubscribing, please send a message to
> the list detailing the problem.
>
>
>
>
>
> _______________________________________________
> App_rpt-users mailing listApp_rpt-users at ohnosec.orghttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>
> To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
> You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
>
>
>
> _______________________________________________
> App_rpt-users mailing list
> App_rpt-users at ohnosec.org
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>
> To unsubscribe from this list please visit
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down
> to the bottom of the page. Enter your email address and press the
> "Unsubscribe or edit options button"
> You do not need a password to unsubscribe, you can do it via email
> confirmation. If you have trouble unsubscribing, please send a message to
> the list detailing the problem.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.keekles.org/pipermail/app_rpt-users/attachments/20151005/f260bd58/attachment.html>


More information about the App_rpt-users mailing list