<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Certificates, two-factor authentication
and something like ssh-guard set to block on the first three
attempts with a really really long block threshold. <br>
<br>
Stacy<br>
KG7QIN<br>
<br>
On 10/05/2015 02:57 PM, Steven Donegan wrote:<br>
</div>
<blockquote
cite="mid:1561423323.959800.1444082243466.JavaMail.yahoo@mail.yahoo.com"
type="cite">
<div style="color:#000; background-color:#fff;
font-family:HelveticaNeue-Light, Helvetica Neue Light, Helvetica
Neue, Helvetica, Arial, Lucida Grande,
sans-serif;font-size:16px">Using certificates for ssh is yet
another method :-) <br>
<div id="yui_3_16_0_1_1443990021550_67368"><span></span></div>
<div id="yui_3_16_0_1_1443990021550_67369"> </div>
<div id="yui_3_16_0_1_1443990021550_67423" class="signature">Steven
Donegan<br>
KK6IVC General Class FCC License<br>
Silver State Car #86<br>
<a class="moz-txt-link-abbreviated" href="http://www.sscc.us">www.sscc.us</a></div>
<br>
<div id="yui_3_16_0_1_1443990021550_67426" style="font-family:
HelveticaNeue-Light, Helvetica Neue Light, Helvetica Neue,
Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;">
<div id="yui_3_16_0_1_1443990021550_67425" style="font-family:
HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida
Grande, sans-serif; font-size: 16px;">
<div id="yui_3_16_0_1_1443990021550_67424" dir="ltr">
<hr size="1"> <font face="Arial" size="2"> <b><span
style="font-weight:bold;">From:</span></b> Bryan D.
Boyle <a class="moz-txt-link-rfc2396E" href="mailto:bdboyle@bdboyle.com"><bdboyle@bdboyle.com></a><br>
<b><span style="font-weight: bold;">To:</span></b>
Steven Donegan <a class="moz-txt-link-rfc2396E" href="mailto:donegan@donegan.org"><donegan@donegan.org></a> <br>
<b><span style="font-weight: bold;">Cc:</span></b> Steve
Zingman <a class="moz-txt-link-rfc2396E" href="mailto:szingman@msgstor.com"><szingman@msgstor.com></a>;
<a class="moz-txt-link-rfc2396E" href="mailto:app_rpt-users@ohnosec.org">"app_rpt-users@ohnosec.org"</a>
<a class="moz-txt-link-rfc2396E" href="mailto:app_rpt-users@ohnosec.org"><app_rpt-users@ohnosec.org></a> <br>
<b><span style="font-weight: bold;">Sent:</span></b>
Monday, October 5, 2015 2:49 PM<br>
<b><span style="font-weight: bold;">Subject:</span></b>
Re: [App_rpt-users] New Official Allstar Distribution
Released (DIAL)<br>
</font> </div>
<div id="yui_3_16_0_1_1443990021550_67427"
class="y_msg_container"><br>
<div id="yiv8734587087">
<div id="yui_3_16_0_1_1443990021550_67429">
<div id="yui_3_16_0_1_1443990021550_67428">Using a
jump box as you describe is one way...not allowing
SSH from the outside adds a layer; setting up a
secue VDI capability to the jumpbox over a vpn is
yet a third way...;). </div>
<div id="yiv8734587087AppleMailSignature"><br
clear="none">
</div>
<div id="yiv8734587087AppleMailSignature">my rule: if
it's exposed to the net, it's potentially
vulnerable. Just turn on your SIP port and pop some
popcorn to see...;)<br clear="none">
<br clear="none">
--
<div>Bryan</div>
<div>Sent from my iPhone 5.<span
style="font-size:13pt;">..No electrons were
harmed in the sending of this message.</span></div>
<div><br clear="none">
<div><br clear="none">
</div>
</div>
</div>
<div class="qtdSeparateBR"><br>
<br>
</div>
<div class="yiv8734587087yqt0199404845"
id="yiv8734587087yqt51679">
<div><br clear="none">
On Oct 5, 2015, at 17:39, Steven Donegan <<a
moz-do-not-send="true" rel="nofollow"
shape="rect"
ymailto="mailto:donegan@donegan.org"
target="_blank"
href="mailto:donegan@donegan.org"><a class="moz-txt-link-abbreviated" href="mailto:donegan@donegan.org">donegan@donegan.org</a></a>>
wrote:<br clear="none">
<br clear="none">
</div>
<blockquote type="cite">
<div>
<div
style="color:#000;background-color:#fff;font-family:HelveticaNeue-Light,
Helvetica Neue Light, Helvetica Neue,
Helvetica, Arial, Lucida Grande,
sans-serif;font-size:16px;">
<div
id="yiv8734587087yui_3_16_0_1_1443990021550_65382">Direct
root login being disallowed IF there were no
other way to get full root privileges (not
the case here) was considered best practice.
However in almost every case there is a user
(on Raspbian user pi) that can simply login,
sudo -s and do whatever they want. Yes it
puts up a small hurdle but I don't see it as
a serious one.</div>
<div><br clear="none">
</div>
<div
id="yiv8734587087yui_3_16_0_1_1443990021550_65659">In
short, there is almost no setup that will
allow you to completely lock out root with
the exception of a few well designed
appliances. And that means someone is out
there doing support to get things resolved.
This system is not of that flavor and root
is necessary for many things so frankly
adding a hurdle or two really doesn't
appreciably make the system more secure.</div>
<div
id="yiv8734587087yui_3_16_0_1_1443990021550_65660"><br
clear="none">
</div>
<div
id="yiv8734587087yui_3_16_0_1_1443990021550_65661">Require
a long pass phrase (say 20 mixed characters
or so) and this whole thing is moot...</div>
<div
id="yiv8734587087yui_3_16_0_1_1443990021550_65662"><br
clear="none">
</div>
<div
id="yiv8734587087yui_3_16_0_1_1443990021550_65663">And
BTW - putting sshd on port 222 (or anything
except 22) is security by obscurity - many
tools can find standard protocols on
non-standard ports :-) (I know, I wrote one)<br
clear="none">
</div>
<div
id="yiv8734587087yui_3_16_0_1_1443990021550_65683"><br
clear="none">
</div>
<div
id="yiv8734587087yui_3_16_0_1_1443990021550_65684">The
best bet is to not allow ssh at all. If that
is not feasible then do the su or sudo thing
and/or set up an intermediate system such
that you access a non-privileged account on
system A, then ssh to system B and system B
will ONLY accept ssh from system A. Still
can be beaten but it is a bit harder...</div>
<div
id="yiv8734587087yui_3_16_0_1_1443990021550_65685"><br
clear="none">
</div>
<div
id="yiv8734587087yui_3_16_0_1_1443990021550_65686">And
BTW - I have done infosec for about 20 years
so I am allowed to have an opinion on this
topic :-)<br clear="none">
</div>
<div
id="yiv8734587087yui_3_16_0_1_1443990021550_65327"><span></span></div>
<div
id="yiv8734587087yui_3_16_0_1_1443990021550_65326"> </div>
<div class="yiv8734587087signature"
id="yiv8734587087yui_3_16_0_1_1443990021550_65291">Steven
Donegan<br clear="none">
KK6IVC General Class FCC License<br
clear="none">
Silver State Car #86<br clear="none">
<a moz-do-not-send="true" rel="nofollow"
shape="rect" target="_blank"
href="http://www.sscc.us/">www.sscc.us</a></div>
<br clear="none">
<div
id="yiv8734587087yui_3_16_0_1_1443990021550_65306"
style="font-family:HelveticaNeue-Light,
Helvetica Neue Light, Helvetica Neue,
Helvetica, Arial, Lucida Grande,
sans-serif;font-size:16px;">
<div
id="yiv8734587087yui_3_16_0_1_1443990021550_65305"
style="font-family:HelveticaNeue,
Helvetica Neue, Helvetica, Arial, Lucida
Grande, sans-serif;font-size:16px;">
<div dir="ltr"
id="yiv8734587087yui_3_16_0_1_1443990021550_65304">
<hr size="1"> <font face="Arial"
size="2"> <b><span
style="font-weight:bold;">From:</span></b>
Steve Zingman <<a
moz-do-not-send="true"
rel="nofollow" shape="rect"
ymailto="mailto:szingman@msgstor.com"
target="_blank"
href="mailto:szingman@msgstor.com"><a class="moz-txt-link-abbreviated" href="mailto:szingman@msgstor.com">szingman@msgstor.com</a></a>><br
clear="none">
<b><span style="font-weight:bold;">To:</span></b>
"<a moz-do-not-send="true"
rel="nofollow" shape="rect"
ymailto="mailto:app_rpt-users@ohnosec.org"
target="_blank"
href="mailto:app_rpt-users@ohnosec.org">app_rpt-users@ohnosec.org</a>"
<<a moz-do-not-send="true"
rel="nofollow" shape="rect"
ymailto="mailto:app_rpt-users@ohnosec.org"
target="_blank"
href="mailto:app_rpt-users@ohnosec.org">app_rpt-users@ohnosec.org</a>>
<br clear="none">
<b><span style="font-weight:bold;">Sent:</span></b>
Monday, October 5, 2015 2:24 PM<br
clear="none">
<b><span style="font-weight:bold;">Subject:</span></b>
[App_rpt-users] New Official Allstar
Distribution Released (DIAL)<br
clear="none">
</font> </div>
<div class="yiv8734587087y_msg_container"><br
clear="none">
<div id="yiv8734587087">
<div> </div>
<div>
<pre style="white-space:pre-wrap;color:rgb(0, 0, 0);font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;widows:1;word-spacing:0px;">Dave,
Let's say I agree with you. And I well may.
On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN.
I agree is common practice to not allow it.
Now the question is why?
As John McLaughlin would say, DISCUSS!
On 10/05/2015 08:40 AM, Steve Zingman wrote:
><i> root login via SSH is now allowed
</i>
> This is a bad idea. Root should *never* be allowed to login to a system
> remotely. It's better to log in as a normal user and then become root
> via su, sudo, etc.
> - Dave
</pre>
<br clear="none">
<pre class="yiv8734587087moz-signature">--
"Anything is possible if you don't know what you are talking about."
1st Law of Logic</pre>
<div
class="yiv8734587087qtdSeparateBR"><br
clear="none">
<br clear="none">
</div>
<div
class="yiv8734587087yqt8052708876"
id="yiv8734587087yqtfd88066"> </div>
</div>
</div>
<br clear="none">
<div class="yiv8734587087yqt8052708876"
id="yiv8734587087yqtfd80175">_______________________________________________<br
clear="none">
App_rpt-users mailing list<br
clear="none">
<a moz-do-not-send="true"
rel="nofollow" shape="rect"
ymailto="mailto:App_rpt-users@ohnosec.org"
target="_blank"
href="mailto:App_rpt-users@ohnosec.org">App_rpt-users@ohnosec.org</a><br
clear="none">
<a moz-do-not-send="true"
rel="nofollow" shape="rect"
target="_blank"
href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a><br
clear="none">
<br clear="none">
To unsubscribe from this list please
visit <a moz-do-not-send="true"
rel="nofollow" shape="rect"
target="_blank"
href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
</a>and scroll down to the bottom of
the page. Enter your email address and
press the "Unsubscribe or edit options
button"<br clear="none">
You do not need a password to
unsubscribe, you can do it via email
confirmation. If you have trouble
unsubscribing, please send a message
to the list detailing the problem. </div>
<br clear="none">
<br clear="none">
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<blockquote type="cite">
<div><span>_______________________________________________</span><br
clear="none">
<span>App_rpt-users mailing list</span><br
clear="none">
<span><a moz-do-not-send="true" rel="nofollow"
shape="rect"
ymailto="mailto:App_rpt-users@ohnosec.org"
target="_blank"
href="mailto:App_rpt-users@ohnosec.org">App_rpt-users@ohnosec.org</a></span><br
clear="none">
<span><a moz-do-not-send="true" rel="nofollow"
shape="rect" target="_blank"
href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a></span><br
clear="none">
<span></span><br clear="none">
<span>To unsubscribe from this list please visit <a
moz-do-not-send="true" rel="nofollow"
shape="rect" target="_blank"
href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users"><a class="moz-txt-link-freetext" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a></a>
and scroll down to the bottom of the page. Enter
your email address and press the "Unsubscribe or
edit options button"</span><br clear="none">
<span>You do not need a password to unsubscribe,
you can do it via email confirmation. If you
have trouble unsubscribing, please send a
message to the list detailing the problem. </span></div>
</blockquote>
</div>
</div>
<br>
<br>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
App_rpt-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:App_rpt-users@ohnosec.org">App_rpt-users@ohnosec.org</a>
<a class="moz-txt-link-freetext" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a>
To unsubscribe from this list please visit <a class="moz-txt-link-freetext" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a> and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. </pre>
</blockquote>
<br>
</body>
</html>