[App_rpt-users] New Official Allstar Distribution Released (DIAL)

Thu Oct 8 22:31:40 UTC 2015

https://www.sans.org/critical-security-controls

Follow the link above for a good place to start at securing your
systems/networks. 
#12 is relevant in this case. :)

-Stacy
KG7QIN

On 10/05/2015 04:15 PM, Steven Donegan wrote:
> Let me spin up one of the DIAL setups - may take me a day - then see
> what is enabled by default and hardening will be 'easy' (no
> processes/ports active not absolutely required). Adding the CA stuff
> will be easy as well if desired. Whatever the overall direction is I
> can do security stuff :-)
>  
> Steven Donegan
> KK6IVC General Class FCC License
> Silver State Car #86
> www.sscc.us
>
> ------------------------------------------------------------------------
> *From:* Steve Zingman <szingman at msgstor.com>
> *To:* Steven Donegan <donegan at donegan.org>; David Andrzejewski
> <david at davidandrzejewski.com>
> *Cc:* "app_rpt-users at ohnosec.org" <app_rpt-users at ohnosec.org>
> *Sent:* Monday, October 5, 2015 4:04 PM
> *Subject:* Re: [App_rpt-users] New Official Allstar Distribution
> Released (DIAL)
>
> Sure,
> I think a hardening script might be in order (and optional).
>
>
>
> On 10/05/2015 06:55 PM, Steven Donegan wrote:
>> BTW - I have a script to make a *NIX box a CA and generate
>> certificates - that could easily be added to the DIAL/Pi/etc releases
>> - let me see if I can scrounge it up :-) Assuming anyone would want
>> that ability and Steve is OK with it :-)
>>  
>> Steven Donegan
>> KK6IVC General Class FCC License
>> Silver State Car #86
>> www.sscc.us <http://www.sscc.us/>
>>
>> ------------------------------------------------------------------------
>> *From:* David Andrzejewski <david at davidandrzejewski.com>
>> <mailto:david at davidandrzejewski.com>
>> *To:* Steven Donegan <donegan at donegan.org> <mailto:donegan at donegan.org>
>> *Cc:* Bryan D. Boyle <bdboyle at bdboyle.com>
>> <mailto:bdboyle at bdboyle.com>; "app_rpt-users at ohnosec.org"
>> <mailto:app_rpt-users at ohnosec.org> <app_rpt-users at ohnosec.org>
>> <mailto:app_rpt-users at ohnosec.org>
>> *Sent:* Monday, October 5, 2015 3:50 PM
>> *Subject:* Re: [App_rpt-users] New Official Allstar Distribution
>> Released (DIAL)
>>
>> Yep - disallowing keyboard-interactive and accepting only
>> certificates.  I turn off PermitRootLogin and only allow
>> certificates.  Barring some kind of exploit in sshd, that ought to be
>> secure enough.
>>
>> Steven Donegan wrote:
>>>
>>>
>>> Using certificates for ssh is yet another method :-)
>>>  
>>> Steven Donegan
>>> KK6IVC General Class FCC License
>>> Silver State Car #86
>>> www.sscc.us <http://www.sscc.us/>
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Bryan D. Boyle <bdboyle at bdboyle.com>
>>> <mailto:bdboyle at bdboyle.com>
>>> *To:* Steven Donegan <donegan at donegan.org> <mailto:donegan at donegan.org>
>>> *Cc:* Steve Zingman <szingman at msgstor.com>
>>> <mailto:szingman at msgstor.com>; "app_rpt-users at ohnosec.org"
>>> <mailto:app_rpt-users at ohnosec.org> <app_rpt-users at ohnosec.org>
>>> <mailto:app_rpt-users at ohnosec.org>
>>> *Sent:* Monday, October 5, 2015 2:49 PM
>>> *Subject:* Re: [App_rpt-users] New Official Allstar Distribution
>>> Released (DIAL)
>>>
>>> Using a jump box as you describe is one way...not allowing SSH from
>>> the outside adds a layer; setting up a secue VDI capability to the
>>> jumpbox over a vpn is yet a third way...;). 
>>>
>>> my rule: if it's exposed to the net, it's potentially vulnerable.
>>>  Just turn on your SIP port and pop some popcorn to see...;)
>>>
>>> -- 
>>> Bryan
>>> Sent from my iPhone 5...No electrons were harmed in the sending of
>>> this message.
>>>
>>>
>>>
>>>
>>>
>>> On Oct 5, 2015, at 17:39, Steven Donegan <donegan at donegan.org
>>> <mailto:donegan at donegan.org>> wrote:
>>>
>>>> Direct root login being disallowed IF there were no other way to
>>>> get full root privileges (not the case here) was considered best
>>>> practice. However in almost every case there is a user (on Raspbian
>>>> user pi) that can simply login, sudo -s and do whatever they want.
>>>> Yes it puts up a small hurdle but I don't see it as a serious one.
>>>>
>>>> In short, there is almost no setup that will allow you to
>>>> completely lock out root with the exception of a few well designed
>>>> appliances. And that means someone is out there doing support to
>>>> get things resolved. This system is not of that flavor and root is
>>>> necessary for many things so frankly adding a hurdle or two really
>>>> doesn't appreciably make the system more secure.
>>>>
>>>> Require a long pass phrase (say 20 mixed characters or so) and this
>>>> whole thing is moot...
>>>>
>>>> And BTW - putting sshd on port 222 (or anything except 22) is
>>>> security by obscurity - many tools can find standard protocols on
>>>> non-standard ports :-) (I know, I wrote one)
>>>>
>>>> The best bet is to not allow ssh at all. If that is not feasible
>>>> then do the su or sudo thing and/or set up an intermediate system
>>>> such that you access a non-privileged account on system A, then ssh
>>>> to system B and system B will ONLY accept ssh from system A. Still
>>>> can be beaten but it is a bit harder...
>>>>
>>>> And BTW - I have done infosec for about 20 years so I am allowed to
>>>> have an opinion on this topic :-)
>>>>  
>>>> Steven Donegan
>>>> KK6IVC General Class FCC License
>>>> Silver State Car #86
>>>> www.sscc.us <http://www.sscc.us/>
>>>>
>>>> ------------------------------------------------------------------------
>>>> *From:* Steve Zingman <szingman at msgstor.com
>>>> <mailto:szingman at msgstor.com>>
>>>> *To:* "app_rpt-users at ohnosec.org
>>>> <mailto:app_rpt-users at ohnosec.org>" <app_rpt-users at ohnosec.org
>>>> <mailto:app_rpt-users at ohnosec.org>>
>>>> *Sent:* Monday, October 5, 2015 2:24 PM
>>>> *Subject:* [App_rpt-users] New Official Allstar Distribution
>>>> Released (DIAL)
>>>>
>>>> Dave,
>>>> Let's say I agree with you. And I well may.
>>>> On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN. 
>>>> I agree is common practice to not allow it.
>>>> Now the question is why?
>>>>
>>>> As John McLaughlin would say, DISCUSS!
>>>>
>>>> On 10/05/2015 08:40 AM, Steve Zingman wrote:
>>>> >/root login via SSH is now allowed /
>>>> > This is a bad idea.  Root should *never* be allowed to login to a system 
>>>> > remotely.  It's better to log in as a normal user and then become root 
>>>> > via su, sudo, etc.
>>>>
>>>> > - Dave
>>>>
>>>>
>>>>
>>>> -- 
>>>> "Anything is possible if you don't know what you are talking about."
>>>> 1st Law of Logic
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> App_rpt-users mailing list
>>>> App_rpt-users at ohnosec.org <mailto:App_rpt-users at ohnosec.org>
>>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>>>
>>>> To unsubscribe from this list please visit
>>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and
>>>> scroll down to the bottom of the page. Enter your email address and
>>>> press the "Unsubscribe or edit options button"
>>>> You do not need a password to unsubscribe, you can do it via email
>>>> confirmation. If you have trouble unsubscribing, please send a
>>>> message to the list detailing the problem.
>>>>
>>>>
>>>> _______________________________________________
>>>> App_rpt-users mailing list
>>>> App_rpt-users at ohnosec.org <mailto:App_rpt-users at ohnosec.org>
>>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>>>
>>>> To unsubscribe from this list please visit
>>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and
>>>> scroll down to the bottom of the page. Enter your email address and
>>>> press the "Unsubscribe or edit options button"
>>>> You do not need a password to unsubscribe, you can do it via email
>>>> confirmation. If you have trouble unsubscribing, please send a
>>>> message to the list detailing the problem.
>>>
>>>
>>> _______________________________________________
>>> App_rpt-users mailing list
>>> App_rpt-users at ohnosec.org <mailto:App_rpt-users at ohnosec.org>
>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>>
>>> To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
>>> You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. 
>>
>>
>>
>>
>>
>> _______________________________________________
>> App_rpt-users mailing list
>> App_rpt-users at ohnosec.org <mailto:App_rpt-users at ohnosec.org>
>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>
>> To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
>> You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. 
>
> -- 
> "Anything is possible if you don't know what you are talking about."
> 1st Law of Logic
>
>
>
>
> _______________________________________________
> App_rpt-users mailing list
> App_rpt-users at ohnosec.org
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>
> To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
> You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.keekles.org/pipermail/app_rpt-users/attachments/20151008/cfd09193/attachment.html>