[App_rpt-users] New Official Allstar Distribution Released (DIAL)

Steve Zingman szingman at msgstor.com
Thu Oct 8 22:40:24 UTC 2015


Stacy,
You are correct. As pretty much everyone that has weighed in.
DIAL sets up a node so it can be configured by most users either using 
Linux tools or tools on other systems (WinSCP)
Before a node is deployed it should be locked down. This is a given.

Right now my plate is full getting versions for other processors. So I'm 
going to ask the security people in the group to create a lock down or 
deploy script.
Take the existing DIAL deployment and lock it down. I'll take your work 
make sure it fits with the x86 DIAL and the other processors.

I suggest you use the list so others can participate.

73, Steve N4IRS


On 10/08/2015 06:31 PM, Stacy wrote:
> https://www.sans.org/critical-security-controls
>
> Follow the link above for a good place to start at securing your 
> systems/networks.
> #12 is relevant in this case. :)
>
> -Stacy
> KG7QIN
>
> On 10/05/2015 04:15 PM, Steven Donegan wrote:
>> Let me spin up one of the DIAL setups - may take me a day - then see 
>> what is enabled by default and hardening will be 'easy' (no 
>> processes/ports active not absolutely required). Adding the CA stuff 
>> will be easy as well if desired. Whatever the overall direction is I 
>> can do security stuff :-)
>> Steven Donegan
>> KK6IVC General Class FCC License
>> Silver State Car #86
>> www.sscc.us
>>
>> ------------------------------------------------------------------------
>> *From:* Steve Zingman <szingman at msgstor.com>
>> *To:* Steven Donegan <donegan at donegan.org>; David Andrzejewski 
>> <david at davidandrzejewski.com>
>> *Cc:* "app_rpt-users at ohnosec.org" <app_rpt-users at ohnosec.org>
>> *Sent:* Monday, October 5, 2015 4:04 PM
>> *Subject:* Re: [App_rpt-users] New Official Allstar Distribution 
>> Released (DIAL)
>>
>> Sure,
>> I think a hardening script might be in order (and optional).
>>
>>
>>
>> On 10/05/2015 06:55 PM, Steven Donegan wrote:
>>> BTW - I have a script to make a *NIX box a CA and generate 
>>> certificates - that could easily be added to the DIAL/Pi/etc 
>>> releases - let me see if I can scrounge it up :-) Assuming anyone 
>>> would want that ability and Steve is OK with it :-)
>>> Steven Donegan
>>> KK6IVC General Class FCC License
>>> Silver State Car #86
>>> www.sscc.us <http://www.sscc.us/>
>>>
>>> ------------------------------------------------------------------------
>>> *From:* David Andrzejewski <david at davidandrzejewski.com>
>>> *To:* Steven Donegan <donegan at donegan.org>
>>> *Cc:* Bryan D. Boyle <bdboyle at bdboyle.com>; 
>>> "app_rpt-users at ohnosec.org" <mailto:app_rpt-users at ohnosec.org> 
>>> <app_rpt-users at ohnosec.org> <mailto:app_rpt-users at ohnosec.org>
>>> *Sent:* Monday, October 5, 2015 3:50 PM
>>> *Subject:* Re: [App_rpt-users] New Official Allstar Distribution 
>>> Released (DIAL)
>>>
>>> Yep - disallowing keyboard-interactive and accepting only 
>>> certificates.  I turn off PermitRootLogin and only allow 
>>> certificates.  Barring some kind of exploit in sshd, that ought to 
>>> be secure enough.
>>>
>>> Steven Donegan wrote:
>>>>
>>>>
>>>> Using certificates for ssh is yet another method :-)
>>>> Steven Donegan
>>>> KK6IVC General Class FCC License
>>>> Silver State Car #86
>>>> www.sscc.us <http://www.sscc.us/>
>>>>
>>>> ------------------------------------------------------------------------
>>>> *From:* Bryan D. Boyle <bdboyle at bdboyle.com>
>>>> *To:* Steven Donegan <donegan at donegan.org>
>>>> *Cc:* Steve Zingman <szingman at msgstor.com>; 
>>>> "app_rpt-users at ohnosec.org" <app_rpt-users at ohnosec.org>
>>>> *Sent:* Monday, October 5, 2015 2:49 PM
>>>> *Subject:* Re: [App_rpt-users] New Official Allstar Distribution 
>>>> Released (DIAL)
>>>>
>>>> Using a jump box as you describe is one way...not allowing SSH from 
>>>> the outside adds a layer; setting up a secue VDI capability to the 
>>>> jumpbox over a vpn is yet a third way...;).
>>>>
>>>> my rule: if it's exposed to the net, it's potentially vulnerable. 
>>>>  Just turn on your SIP port and pop some popcorn to see...;)
>>>>
>>>> -- 
>>>> Bryan
>>>> Sent from my iPhone 5...No electrons were harmed in the sending of 
>>>> this message.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Oct 5, 2015, at 17:39, Steven Donegan <donegan at donegan.org> wrote:
>>>>
>>>>> Direct root login being disallowed IF there were no other way to 
>>>>> get full root privileges (not the case here) was considered best 
>>>>> practice. However in almost every case there is a user (on 
>>>>> Raspbian user pi) that can simply login, sudo -s and do whatever 
>>>>> they want. Yes it puts up a small hurdle but I don't see it as a 
>>>>> serious one.
>>>>>
>>>>> In short, there is almost no setup that will allow you to 
>>>>> completely lock out root with the exception of a few well designed 
>>>>> appliances. And that means someone is out there doing support to 
>>>>> get things resolved. This system is not of that flavor and root is 
>>>>> necessary for many things so frankly adding a hurdle or two really 
>>>>> doesn't appreciably make the system more secure.
>>>>>
>>>>> Require a long pass phrase (say 20 mixed characters or so) and 
>>>>> this whole thing is moot...
>>>>>
>>>>> And BTW - putting sshd on port 222 (or anything except 22) is 
>>>>> security by obscurity - many tools can find standard protocols on 
>>>>> non-standard ports :-) (I know, I wrote one)
>>>>>
>>>>> The best bet is to not allow ssh at all. If that is not feasible 
>>>>> then do the su or sudo thing and/or set up an intermediate system 
>>>>> such that you access a non-privileged account on system A, then 
>>>>> ssh to system B and system B will ONLY accept ssh from system A. 
>>>>> Still can be beaten but it is a bit harder...
>>>>>
>>>>> And BTW - I have done infosec for about 20 years so I am allowed 
>>>>> to have an opinion on this topic :-)
>>>>> Steven Donegan
>>>>> KK6IVC General Class FCC License
>>>>> Silver State Car #86
>>>>> www.sscc.us
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>> *From:* Steve Zingman <szingman at msgstor.com>
>>>>> *To:* "app_rpt-users at ohnosec.org" <app_rpt-users at ohnosec.org>
>>>>> *Sent:* Monday, October 5, 2015 2:24 PM
>>>>> *Subject:* [App_rpt-users] New Official Allstar Distribution 
>>>>> Released (DIAL)
>>>>>
>>>>> Dave,
>>>>> Let's say I agree with you. And I well may.
>>>>> On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN.
>>>>> I agree is common practice to not allow it.
>>>>> Now the question is why?
>>>>>
>>>>> As John McLaughlin would say, DISCUSS!
>>>>>
>>>>> On 10/05/2015 08:40 AM, Steve Zingman wrote:
>>>>> >/root login via SSH is now allowed /
>>>>> > This is a bad idea.  Root should *never* be allowed to login to a system
>>>>> > remotely.  It's better to log in as a normal user and then become root
>>>>> > via su, sudo, etc.
>>>>>
>>>>> > - Dave
>>>>>
>>>>>
>>>>>
>>>>> -- 
>>>>> "Anything is possible if you don't know what you are talking about."
>>>>> 1st Law of Logic
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> App_rpt-users mailing list
>>>>> App_rpt-users at ohnosec.org
>>>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>>>>
>>>>> To unsubscribe from this list please visit 
>>>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and 
>>>>> scroll down to the bottom of the page. Enter your email address 
>>>>> and press the "Unsubscribe or edit options button"
>>>>> You do not need a password to unsubscribe, you can do it via email 
>>>>> confirmation. If you have trouble unsubscribing, please send a 
>>>>> message to the list detailing the problem.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> App_rpt-users mailing list
>>>>> App_rpt-users at ohnosec.org
>>>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>>>>
>>>>> To unsubscribe from this list please visit 
>>>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and 
>>>>> scroll down to the bottom of the page. Enter your email address 
>>>>> and press the "Unsubscribe or edit options button"
>>>>> You do not need a password to unsubscribe, you can do it via email 
>>>>> confirmation. If you have trouble unsubscribing, please send a 
>>>>> message to the list detailing the problem.
>>>>
>>>>
>>>> _______________________________________________
>>>> App_rpt-users mailing list
>>>> App_rpt-users at ohnosec.org <mailto:App_rpt-users at ohnosec.org>
>>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>>>
>>>> To unsubscribe from this list please visithttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users  and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
>>>> You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> App_rpt-users mailing list
>>> App_rpt-users at ohnosec.org <mailto:App_rpt-users at ohnosec.org>
>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>>
>>> To unsubscribe from this list please visithttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users  and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
>>> You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
>>
>> -- 
>> "Anything is possible if you don't know what you are talking about."
>> 1st Law of Logic
>>
>>
>>
>>
>> _______________________________________________
>> App_rpt-users mailing list
>> App_rpt-users at ohnosec.org
>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>
>> To unsubscribe from this list please visithttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users  and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
>> You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
>

-- 
"Anything is possible if you don't know what you are talking about."
1st Law of Logic

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.keekles.org/pipermail/app_rpt-users/attachments/20151008/aa41d510/attachment.html>


More information about the App_rpt-users mailing list