[App_rpt-users] New Official Allstar Distribution Released (DIAL)
Stacy
kg7qin at arrl.net
Tue Oct 6 02:36:38 UTC 2015
Same difference. :)
On 10/05/2015 07:30 PM, Loren Tedford wrote:
> Personally I use Fail2ban
>
>
> Loren Tedford (KC9ZHV)
> Email: lorentedford at gmail.com <mailto:lorentedford at gmail.com>
> Main Line:1-631-686-8878 Option 1 for Loren.
> Fax Line 1:1-618-551-2755
> Fax Line 2:1-631-686-8892 (New Fax line)
> Cell: 618-553-0806
> http://www.lorentedford.com <http://www.lorentedford.com/>
> http://www.kc9zhv.com
> http://hub.kc9zhv.com
>
> On Mon, Oct 5, 2015 at 9:06 PM, Stacy <kg7qin at arrl.net
> <mailto:kg7qin at arrl.net>> wrote:
>
> Certificates, two-factor authentication and something like
> ssh-guard set to block on the first three attempts with a really
> really long block threshold.
>
> Stacy
> KG7QIN
>
>
> On 10/05/2015 02:57 PM, Steven Donegan wrote:
>> Using certificates for ssh is yet another method :-)
>>
>> Steven Donegan
>> KK6IVC General Class FCC License
>> Silver State Car #86
>> www.sscc.us <http://www.sscc.us>
>>
>> ------------------------------------------------------------------------
>> *From:* Bryan D. Boyle <bdboyle at bdboyle.com>
>> <mailto:bdboyle at bdboyle.com>
>> *To:* Steven Donegan <donegan at donegan.org>
>> <mailto:donegan at donegan.org>
>> *Cc:* Steve Zingman <szingman at msgstor.com>
>> <mailto:szingman at msgstor.com>; "app_rpt-users at ohnosec.org"
>> <mailto:app_rpt-users at ohnosec.org> <app_rpt-users at ohnosec.org>
>> <mailto:app_rpt-users at ohnosec.org>
>> *Sent:* Monday, October 5, 2015 2:49 PM
>> *Subject:* Re: [App_rpt-users] New Official Allstar Distribution
>> Released (DIAL)
>>
>> Using a jump box as you describe is one way...not allowing SSH
>> from the outside adds a layer; setting up a secue VDI capability
>> to the jumpbox over a vpn is yet a third way...;).
>>
>> my rule: if it's exposed to the net, it's potentially
>> vulnerable. Just turn on your SIP port and pop some popcorn to
>> see...;)
>>
>> --
>> Bryan
>> Sent from my iPhone 5...No electrons were harmed in the sending
>> of this message.
>>
>>
>>
>>
>>
>> On Oct 5, 2015, at 17:39, Steven Donegan <donegan at donegan.org
>> <mailto:donegan at donegan.org>> wrote:
>>
>>> Direct root login being disallowed IF there were no other way to
>>> get full root privileges (not the case here) was considered best
>>> practice. However in almost every case there is a user (on
>>> Raspbian user pi) that can simply login, sudo -s and do whatever
>>> they want. Yes it puts up a small hurdle but I don't see it as a
>>> serious one.
>>>
>>> In short, there is almost no setup that will allow you to
>>> completely lock out root with the exception of a few well
>>> designed appliances. And that means someone is out there doing
>>> support to get things resolved. This system is not of that
>>> flavor and root is necessary for many things so frankly adding a
>>> hurdle or two really doesn't appreciably make the system more
>>> secure.
>>>
>>> Require a long pass phrase (say 20 mixed characters or so) and
>>> this whole thing is moot...
>>>
>>> And BTW - putting sshd on port 222 (or anything except 22) is
>>> security by obscurity - many tools can find standard protocols
>>> on non-standard ports :-) (I know, I wrote one)
>>>
>>> The best bet is to not allow ssh at all. If that is not feasible
>>> then do the su or sudo thing and/or set up an intermediate
>>> system such that you access a non-privileged account on system
>>> A, then ssh to system B and system B will ONLY accept ssh from
>>> system A. Still can be beaten but it is a bit harder...
>>>
>>> And BTW - I have done infosec for about 20 years so I am allowed
>>> to have an opinion on this topic :-)
>>>
>>> Steven Donegan
>>> KK6IVC General Class FCC License
>>> Silver State Car #86
>>> www.sscc.us <http://www.sscc.us/>
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Steve Zingman <szingman at msgstor.com
>>> <mailto:szingman at msgstor.com>>
>>> *To:* "app_rpt-users at ohnosec.org
>>> <mailto:app_rpt-users at ohnosec.org>" <app_rpt-users at ohnosec.org
>>> <mailto:app_rpt-users at ohnosec.org>>
>>> *Sent:* Monday, October 5, 2015 2:24 PM
>>> *Subject:* [App_rpt-users] New Official Allstar Distribution
>>> Released (DIAL)
>>>
>>> Dave,
>>> Let's say I agree with you. And I well may.
>>> On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN.
>>> I agree is common practice to not allow it.
>>> Now the question is why?
>>>
>>> As John McLaughlin would say, DISCUSS!
>>>
>>> On 10/05/2015 08:40 AM, Steve Zingman wrote:
>>> >/root login via SSH is now allowed /
>>> > This is a bad idea. Root should *never* be allowed to login to a system
>>> > remotely. It's better to log in as a normal user and then become root
>>> > via su, sudo, etc.
>>>
>>> > - Dave
>>>
>>>
>>>
>>> --
>>> "Anything is possible if you don't know what you are talking about."
>>> 1st Law of Logic
>>>
>>>
>>>
>>> _______________________________________________
>>> App_rpt-users mailing list
>>> App_rpt-users at ohnosec.org <mailto:App_rpt-users at ohnosec.org>
>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>>
>>> To unsubscribe from this list please visit
>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and
>>> scroll down to the bottom of the page. Enter your email address
>>> and press the "Unsubscribe or edit options button"
>>> You do not need a password to unsubscribe, you can do it via
>>> email confirmation. If you have trouble unsubscribing, please
>>> send a message to the list detailing the problem.
>>>
>>>
>>> _______________________________________________
>>> App_rpt-users mailing list
>>> App_rpt-users at ohnosec.org <mailto:App_rpt-users at ohnosec.org>
>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>>
>>> To unsubscribe from this list please visit
>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and
>>> scroll down to the bottom of the page. Enter your email address
>>> and press the "Unsubscribe or edit options button"
>>> You do not need a password to unsubscribe, you can do it via
>>> email confirmation. If you have trouble unsubscribing, please
>>> send a message to the list detailing the problem.
>>
>>
>>
>>
>> _______________________________________________
>> App_rpt-users mailing list
>> App_rpt-users at ohnosec.org <mailto:App_rpt-users at ohnosec.org>
>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>
>> To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
>> You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
>
>
> _______________________________________________
> App_rpt-users mailing list
> App_rpt-users at ohnosec.org <mailto:App_rpt-users at ohnosec.org>
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>
> To unsubscribe from this list please visit
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and
> scroll down to the bottom of the page. Enter your email address
> and press the "Unsubscribe or edit options button"
> You do not need a password to unsubscribe, you can do it via email
> confirmation. If you have trouble unsubscribing, please send a
> message to the list detailing the problem.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.keekles.org/pipermail/app_rpt-users/attachments/20151005/946c54f7/attachment.html>
More information about the App_rpt-users
mailing list