[App_rpt-users] New Official Allstar Distribution Released (DIAL)

Leon Zetekoff wa4zlw at arrl.net
Thu Oct 8 22:58:52 UTC 2015


Personally I think there should be a physical firewall appliance. It could be as simple as pfsense. The appliance should be in front of anything you want protected. 

You can get old watchguard hardware for like $50 and put mikrotik routeros on it for additional $45 or pfsense for free.

The X700 or X1000 are easiest. The e series is doable as is the Xtm5 series.

I've got a pile of X700s. They are celeron 1200 mhz with 256mb ram and six 10/100 Ethernet ports. Uses cf flash. Also has ide interface. I have two running routeros and friends have pfsense on it and on the Xtms

Let asterisk do it's thing let other things Di security and other functions.

If interested Hit me off list please.

73 Leon wa4zlw


Sent from my Sprint Phone.

----- Reply message -----
From: "Steve Zingman" <szingman at msgstor.com>
To: "Stacy" <kg7qin at arrl.net>, "Steven Donegan" <donegan at donegan.org>, "David Andrzejewski" <david at davidandrzejewski.com>
Cc: "app_rpt-users at ohnosec.org" <app_rpt-users at ohnosec.org>
Subject: [App_rpt-users] New Official Allstar Distribution Released (DIAL)
Date: Thu, Oct 8, 2015 6:40 PM

Stacy,

You are correct. As pretty much everyone that has weighed in.

DIAL sets up a node so it can be configured by most users either
using Linux tools or tools on other systems (WinSCP)

Before a node is deployed it should be locked down. This is a given.



Right now my plate is full getting versions for other processors. So
I'm going to ask the security people in the group to create a lock
down or deploy script.

Take the existing DIAL deployment and lock it down. I'll take your
work make sure it fits with the x86 DIAL and the other processors.



I suggest you use the list so others can participate.



73, Steve N4IRS

 



On 10/08/2015 06:31 PM, Stacy wrote:





https://www.sans.org/critical-security-controls



Follow the link above for a good place to start at securing your
systems/networks.  

#12 is relevant in this case. :)



-Stacy

KG7QIN



On 10/05/2015 04:15 PM, Steven Donegan wrote:





Let me
spin up one of the DIAL setups - may take me a day - then
see what is enabled by default and hardening will be 'easy'
(no processes/ports active not absolutely required). Adding
the CA stuff will be easy as well if desired. Whatever the
overall direction is I can do security stuff :-)





 

Steven

Donegan

KK6IVC General Class FCC License

Silver State Car #86

www.sscc.us






From:
Steve Zingman <szingman at msgstor.com>

To:
Steven Donegan <donegan at donegan.org>;
David Andrzejewski <david at davidandrzejewski.com>


Cc: "app_rpt-users at ohnosec.org"
<app_rpt-users at ohnosec.org>


Sent:
Monday, October 5, 2015 4:04 PM

Subject:
Re: [App_rpt-users] New Official Allstar Distribution
Released (DIAL)






Sure,
I think a hardening script might be in order (and
optional).








On
10/05/2015 06:55 PM, Steven Donegan wrote:



BTW - I have a
script to make a *NIX box a CA and generate
certificates - that could easily be added to
the DIAL/Pi/etc releases - let me see if I can
scrounge it up :-) Assuming anyone would want
that ability and Steve is OK with it :-)


 

Steven


Donegan
KK6IVC General Class FCC License
Silver State Car #86
www.sscc.us





From:
David Andrzejewski <david at davidandrzejewski.com>
To:
Steven Donegan <donegan at donegan.org>

Cc:
Bryan D. Boyle <bdboyle at bdboyle.com>;
"app_rpt-users at ohnosec.org"
<app_rpt-users at ohnosec.org>

Sent:
Monday, October 5, 2015 3:50 PM
Subject:
Re: [App_rpt-users] New Official
Allstar Distribution Released (DIAL)




Yep

- disallowing keyboard-interactive
and accepting only certificates.  I
turn off PermitRootLogin and only
allow certificates.  Barring some
kind of exploit in sshd, that ought
to be secure enough.

Steven Donegan wrote:






Using

certificates for ssh is yet
another method :-) 


 

Steven Donegan
KK6IVC General Class FCC
License
Silver State Car #86
www.sscc.us






From:
Bryan D. Boyle <bdboyle at bdboyle.com>
To:
Steven Donegan <donegan at donegan.org>

Cc:
Steve Zingman <szingman at msgstor.com>;
"app_rpt-users at ohnosec.org"
<app_rpt-users at ohnosec.org>

Sent:
Monday, October 5,
2015 2:49 PM
Subject:
Re: [App_rpt-users]
New Official Allstar
Distribution Released
(DIAL)





Using


a jump box as you
describe is one
way...not allowing
SSH from the
outside adds a
layer; setting up
a secue VDI
capability to the
jumpbox over a vpn
is yet a third
way...;). 




my


rule: if it's
exposed to the
net, it's
potentially
vulnerable.  Just
turn on your SIP
port and pop some
popcorn to
see...;)

--
Bryan

Sent from my
iPhone 5...No


electrons were
harmed in the
sending of
this message.















On Oct 5, 2015,
at 17:39, Steven
Donegan <donegan at donegan.org>


wrote:






Direct


root login
being
disallowed IF
there were no
other way to
get full root
privileges
(not the case
here) was
considered
best practice.
However in
almost every
case there is
a user (on
Raspbian user
pi) that can
simply login,
sudo -s and do
whatever they
want. Yes it
puts up a
small hurdle
but I don't
see it as a
serious one.




In


short, there
is almost no
setup that
will allow you
to completely
lock out root
with the
exception of a
few well
designed
appliances.
And that means
someone is out
there doing
support to get
things
resolved. This
system is not
of that flavor
and root is
necessary for
many things so
frankly adding
a hurdle or
two really
doesn't
appreciably
make the
system more
secure.




Require


a long pass
phrase (say 20
mixed
characters or
so) and this
whole thing is
moot...




And


BTW - putting
sshd on port
222 (or
anything
except 22) is
security by
obscurity -
many tools can
find standard
protocols on
non-standard
ports :-) (I
know, I wrote
one)





The


best bet is to
not allow ssh
at all. If
that is not
feasible then
do the su or
sudo thing
and/or set up
an
intermediate
system such
that you
access a
non-privileged
account on
system A, then
ssh to system
B and system B
will ONLY
accept ssh
from system A.
Still can be
beaten but it
is a bit
harder...




And


BTW - I have
done infosec
for about 20
years so I am
allowed to
have an
opinion on
this topic :-)




 

Steven Donegan
KK6IVC General
Class FCC
License
Silver State
Car #86
www.sscc.us






From: Steve Zingman <szingman at msgstor.com>
To:
"app_rpt-users at ohnosec.org"
<app_rpt-users at ohnosec.org>




Sent:
Monday,
October 5,
2015 2:24 PM
Subject:
[App_rpt-users]

New Official
Allstar
Distribution
Released
(DIAL)







Dave,
Let's say I agree with you. And I well may.
On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN. 
I agree is common practice to not allow it.
Now the question is why?

As John McLaughlin would say, DISCUSS!

On 10/05/2015 08:40 AM, Steve Zingman wrote:
> root login via SSH is now allowed

> This is a bad idea.  Root should *never* be allowed to login to a system 
> remotely.  It's better to log in as a normal user and then become root 
> via su, sudo, etc.

> - Dave




-- 
"Anything is possible if you don't know what you are talking about."
1st Law of Logic











_______________________________________________
App_rpt-users
mailing list
App_rpt-users at ohnosec.org
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe
from this list
please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
and scroll
down to the
bottom of the
page. Enter
your email
address and
press the
"Unsubscribe
or edit
options
button"
You do not
need a
password to
unsubscribe,
you can do it
via email
confirmation.
If you have
trouble
unsubscribing,
please send a
message to the
list detailing
the problem. 

















_______________________________________________
App_rpt-users

mailing list
App_rpt-users at ohnosec.org
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To
unsubscribe
from this list
please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
and scroll
down to the
bottom of the
page. Enter
your email
address and
press the
"Unsubscribe
or edit
options
button"
You do not
need a
password to
unsubscribe,
you can do it
via email
confirmation.
If you have
trouble
unsubscribing,
please send a
message to the
list detailing
the problem. 


















_______________________________________________
App_rpt-users mailing list
App_rpt-users at ohnosec.org
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. 



















_______________________________________________
App_rpt-users mailing list
App_rpt-users at ohnosec.org
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. 




-- 
"Anything is possible if you don't know what you are talking about."
1st Law of Logic





















_______________________________________________
App_rpt-users mailing list
App_rpt-users at ohnosec.org
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. 






-- 
"Anything is possible if you don't know what you are talking about."
1st Law of Logic
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.keekles.org/pipermail/app_rpt-users/attachments/20151008/8670e08b/attachment.html>


More information about the App_rpt-users mailing list