<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Lets remember the root access is only enabled by default, and when
you have you node configured then disable root access. Other
roip/voip systems recommend this.<br>
<br>
I agree its a good idea to not expose the servers to the throbbing
viruses waiting to attack us out side our routers. <br>
<br>
But lets not make it so locked down that us non-linux gurus cant get
in.<br>
<br>
And if you do, please make a howto for us leser types so we can
continue to enjoy or Allstar nodes! <br>
<br>
Thanks for the efforts! <br>
<br>
Jon VA3RQ<br>
<br>
On 10/5/2015 7:04 PM, Steve Zingman wrote:
<blockquote cite="mid:5613021B.9000709@msgstor.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
Sure,<br>
I think a hardening script might be in order (and optional).<br>
<br>
<div class="moz-cite-prefix">On 10/05/2015 06:55 PM, Steven
Donegan wrote:<br>
</div>
<blockquote
cite="mid:1932068682.965209.1444085729364.JavaMail.yahoo@mail.yahoo.com"
type="cite">
<div style="color:#000; background-color:#fff;
font-family:HelveticaNeue-Light, Helvetica Neue Light,
Helvetica Neue, Helvetica, Arial, Lucida Grande,
sans-serif;font-size:16px">BTW - I have a script to make a
*NIX box a CA and generate certificates - that could easily be
added to the DIAL/Pi/etc releases - let me see if I can
scrounge it up :-) Assuming anyone would want that ability and
Steve is OK with it :-)<br>
<div id="yui_3_16_0_1_1443990021550_80415"><span></span></div>
<div id="yui_3_16_0_1_1443990021550_80416"> </div>
<div id="yui_3_16_0_1_1443990021550_80482" class="signature">Steven
Donegan<br>
KK6IVC General Class FCC License<br>
Silver State Car #86<br>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="http://www.sscc.us">www.sscc.us</a></div>
<br>
<div id="yui_3_16_0_1_1443990021550_80485" style="font-family:
HelveticaNeue-Light, Helvetica Neue Light, Helvetica Neue,
Helvetica, Arial, Lucida Grande, sans-serif; font-size:
16px;">
<div id="yui_3_16_0_1_1443990021550_80484"
style="font-family: HelveticaNeue, Helvetica Neue,
Helvetica, Arial, Lucida Grande, sans-serif; font-size:
16px;">
<div id="yui_3_16_0_1_1443990021550_80483" dir="ltr">
<hr id="yui_3_16_0_1_1443990021550_80529" size="1"> <font
id="yui_3_16_0_1_1443990021550_80486" face="Arial"
size="2"> <b><span style="font-weight:bold;">From:</span></b>
David Andrzejewski <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:david@davidandrzejewski.com"><david@davidandrzejewski.com></a><br>
<b><span style="font-weight: bold;">To:</span></b>
Steven Donegan <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:donegan@donegan.org"><donegan@donegan.org></a>
<br>
<b><span style="font-weight: bold;">Cc:</span></b>
Bryan D. Boyle <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:bdboyle@bdboyle.com"><bdboyle@bdboyle.com></a>;
<a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:app_rpt-users@ohnosec.org">"app_rpt-users@ohnosec.org"</a>
<a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:app_rpt-users@ohnosec.org"><app_rpt-users@ohnosec.org></a>
<br>
<b><span style="font-weight: bold;">Sent:</span></b>
Monday, October 5, 2015 3:50 PM<br>
<b id="yui_3_16_0_1_1443990021550_80488"><span
id="yui_3_16_0_1_1443990021550_80487"
style="font-weight: bold;">Subject:</span></b> Re:
[App_rpt-users] New Official Allstar Distribution
Released (DIAL)<br>
</font> </div>
<div id="yui_3_16_0_1_1443990021550_80489"
class="y_msg_container"><br>
<div id="yiv0251227674">
<div id="yui_3_16_0_1_1443990021550_80490">Yep -
disallowing keyboard-interactive and accepting only
certificates. I turn off PermitRootLogin and only
allow certificates. Barring some kind of exploit in
sshd, that ought to be secure enough.<br
clear="none">
<br clear="none">
<span>Steven Donegan wrote:</span><br clear="none">
<blockquote type="cite">
<div class="qtdSeparateBR"><br>
<br>
</div>
<div class="yiv0251227674yqt4126216668"
id="yiv0251227674yqt02654">
<div
style="color:#000;background-color:#fff;font-family:HelveticaNeue-Light,
Helvetica Neue Light, Helvetica Neue,
Helvetica, Arial, Lucida Grande,
sans-serif;font-size:16px;">Using certificates
for ssh is yet another method :-) <br
clear="none">
<div
id="yiv0251227674yui_3_16_0_1_1443990021550_67368"><span></span></div>
<div
id="yiv0251227674yui_3_16_0_1_1443990021550_67369"> </div>
<div class="yiv0251227674signature"
id="yiv0251227674yui_3_16_0_1_1443990021550_67423">Steven
Donegan<br clear="none">
KK6IVC General Class FCC License<br
clear="none">
Silver State Car #86<br clear="none">
<a moz-do-not-send="true" rel="nofollow"
shape="rect"
class="yiv0251227674moz-txt-link-abbreviated"
target="_blank" href="http://www.sscc.us/">www.sscc.us</a></div>
<br clear="none">
<div
id="yiv0251227674yui_3_16_0_1_1443990021550_67426"
style="font-family:HelveticaNeue-Light,
Helvetica Neue Light, Helvetica Neue,
Helvetica, Arial, Lucida Grande,
sans-serif;font-size:16px;">
<div
id="yiv0251227674yui_3_16_0_1_1443990021550_67425"
style="font-family:HelveticaNeue,
Helvetica Neue, Helvetica, Arial, Lucida
Grande, sans-serif;font-size:16px;">
<div dir="ltr"
id="yiv0251227674yui_3_16_0_1_1443990021550_67424">
<hr size="1"> <font face="Arial"
size="2"> <b><span
style="font-weight:bold;">From:</span></b>
Bryan D. Boyle <a
moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:bdboyle@bdboyle.com"><bdboyle@bdboyle.com></a><br
clear="none">
<b><span style="font-weight:bold;">To:</span></b>
Steven Donegan <a
moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:donegan@donegan.org"><donegan@donegan.org></a>
<br clear="none">
<b><span style="font-weight:bold;">Cc:</span></b>
Steve Zingman <a
moz-do-not-send="true"
rel="nofollow" shape="rect"
class="yiv0251227674moz-txt-link-rfc2396E"
ymailto="mailto:szingman@msgstor.com" target="_blank"
href="mailto:szingman@msgstor.com"><szingman@msgstor.com></a>;
<a moz-do-not-send="true"
rel="nofollow" shape="rect"
class="yiv0251227674moz-txt-link-rfc2396E"
ymailto="mailto:app_rpt-users@ohnosec.org" target="_blank"
href="mailto:app_rpt-users@ohnosec.org">"app_rpt-users@ohnosec.org"</a>
<a moz-do-not-send="true"
rel="nofollow" shape="rect"
class="yiv0251227674moz-txt-link-rfc2396E"
ymailto="mailto:app_rpt-users@ohnosec.org" target="_blank"
href="mailto:app_rpt-users@ohnosec.org"><app_rpt-users@ohnosec.org></a>
<br clear="none">
<b><span style="font-weight:bold;">Sent:</span></b>
Monday, October 5, 2015 2:49 PM<br
clear="none">
<b><span style="font-weight:bold;">Subject:</span></b>
Re: [App_rpt-users] New Official
Allstar Distribution Released (DIAL)<br
clear="none">
</font> </div>
<div class="yiv0251227674y_msg_container"
id="yiv0251227674yui_3_16_0_1_1443990021550_67427"><br clear="none">
<div id="yiv0251227674">
<div
id="yiv0251227674yui_3_16_0_1_1443990021550_67429">
<div
id="yiv0251227674yui_3_16_0_1_1443990021550_67428">Using
a jump box as you describe is one
way...not allowing SSH from the
outside adds a layer; setting up a
secue VDI capability to the
jumpbox over a vpn is yet a third
way...;). </div>
<div
id="yiv0251227674AppleMailSignature"><br
clear="none">
</div>
<div
id="yiv0251227674AppleMailSignature">my
rule: if it's exposed to the net,
it's potentially vulnerable. Just
turn on your SIP port and pop some
popcorn to see...;)<br
clear="none">
<br clear="none">
--
<div>Bryan</div>
<div>Sent from my iPhone 5.<span
style="font-size:13pt;">..No
electrons were harmed in the
sending of this message.</span></div>
<div><br clear="none">
<div><br clear="none">
</div>
</div>
</div>
<div
class="yiv0251227674qtdSeparateBR"><br
clear="none">
<br clear="none">
</div>
<div
class="yiv0251227674yqt0199404845"
id="yiv0251227674yqt51679">
<div><br clear="none">
On Oct 5, 2015, at 17:39, Steven
Donegan <<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:donegan@donegan.org">donegan@donegan.org</a>> wrote:<br
clear="none">
<br clear="none">
</div>
<blockquote type="cite">
<div>
<div
style="color:#000;background-color:#fff;font-family:HelveticaNeue-Light,
Helvetica Neue Light,
Helvetica Neue, Helvetica,
Arial, Lucida Grande,
sans-serif;font-size:16px;">
<div
id="yiv0251227674yui_3_16_0_1_1443990021550_65382">Direct
root login being
disallowed IF there were
no other way to get full
root privileges (not the
case here) was considered
best practice. However in
almost every case there is
a user (on Raspbian user
pi) that can simply login,
sudo -s and do whatever
they want. Yes it puts up
a small hurdle but I don't
see it as a serious one.</div>
<div><br clear="none">
</div>
<div
id="yiv0251227674yui_3_16_0_1_1443990021550_65659">In
short, there is almost no
setup that will allow you
to completely lock out
root with the exception of
a few well designed
appliances. And that means
someone is out there doing
support to get things
resolved. This system is
not of that flavor and
root is necessary for many
things so frankly adding a
hurdle or two really
doesn't appreciably make
the system more secure.</div>
<div
id="yiv0251227674yui_3_16_0_1_1443990021550_65660"><br
clear="none">
</div>
<div
id="yiv0251227674yui_3_16_0_1_1443990021550_65661">Require
a long pass phrase (say 20
mixed characters or so)
and this whole thing is
moot...</div>
<div
id="yiv0251227674yui_3_16_0_1_1443990021550_65662"><br
clear="none">
</div>
<div
id="yiv0251227674yui_3_16_0_1_1443990021550_65663">And
BTW - putting sshd on port
222 (or anything except
22) is security by
obscurity - many tools can
find standard protocols on
non-standard ports :-) (I
know, I wrote one)<br
clear="none">
</div>
<div
id="yiv0251227674yui_3_16_0_1_1443990021550_65683"><br
clear="none">
</div>
<div
id="yiv0251227674yui_3_16_0_1_1443990021550_65684">The
best bet is to not allow
ssh at all. If that is not
feasible then do the su or
sudo thing and/or set up
an intermediate system
such that you access a
non-privileged account on
system A, then ssh to
system B and system B will
ONLY accept ssh from
system A. Still can be
beaten but it is a bit
harder...</div>
<div
id="yiv0251227674yui_3_16_0_1_1443990021550_65685"><br
clear="none">
</div>
<div
id="yiv0251227674yui_3_16_0_1_1443990021550_65686">And
BTW - I have done infosec
for about 20 years so I am
allowed to have an opinion
on this topic :-)<br
clear="none">
</div>
<div
id="yiv0251227674yui_3_16_0_1_1443990021550_65327"><span></span></div>
<div
id="yiv0251227674yui_3_16_0_1_1443990021550_65326"> </div>
<div
class="yiv0251227674signature"
id="yiv0251227674yui_3_16_0_1_1443990021550_65291">Steven Donegan<br
clear="none">
KK6IVC General Class FCC
License<br clear="none">
Silver State Car #86<br
clear="none">
<a moz-do-not-send="true"
rel="nofollow"
shape="rect"
target="_blank"
href="http://www.sscc.us/">www.sscc.us</a></div>
<br clear="none">
<div
id="yiv0251227674yui_3_16_0_1_1443990021550_65306"
style="font-family:HelveticaNeue-Light,
Helvetica Neue Light,
Helvetica Neue, Helvetica,
Arial, Lucida Grande,
sans-serif;font-size:16px;">
<div
id="yiv0251227674yui_3_16_0_1_1443990021550_65305"
style="font-family:HelveticaNeue,
Helvetica Neue,
Helvetica, Arial, Lucida
Grande,
sans-serif;font-size:16px;">
<div dir="ltr"
id="yiv0251227674yui_3_16_0_1_1443990021550_65304">
<hr size="1"> <font
face="Arial"
size="2"> <b><span
style="font-weight:bold;">From:</span></b> Steve Zingman <<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated" href="mailto:szingman@msgstor.com">szingman@msgstor.com</a>><br
clear="none">
<b><span
style="font-weight:bold;">To:</span></b>
"<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated" href="mailto:app_rpt-users@ohnosec.org">app_rpt-users@ohnosec.org</a>"
<<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated" href="mailto:app_rpt-users@ohnosec.org">app_rpt-users@ohnosec.org</a>>
<br clear="none">
<b><span
style="font-weight:bold;">Sent:</span></b>
Monday, October 5,
2015 2:24 PM<br
clear="none">
<b><span
style="font-weight:bold;">Subject:</span></b>
[App_rpt-users] New
Official Allstar
Distribution
Released (DIAL)<br
clear="none">
</font> </div>
<div
class="yiv0251227674y_msg_container"><br
clear="none">
<div
id="yiv0251227674">
<div> </div>
<div>
<pre style="white-space:pre-wrap;color:rgb(0, 0, 0);font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;widows:1;word-spacing:0px;">Dave,
Let's say I agree with you. And I well may.
On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN.
I agree is common practice to not allow it.
Now the question is why?
As John McLaughlin would say, DISCUSS!
On 10/05/2015 08:40 AM, Steve Zingman wrote:
><i> root login via SSH is now allowed
</i>
> This is a bad idea. Root should *never* be allowed to login to a system
> remotely. It's better to log in as a normal user and then become root
> via su, sudo, etc.
> - Dave
</pre>
<br clear="none">
<pre class="yiv0251227674moz-signature">--
"Anything is possible if you don't know what you are talking about."
1st Law of Logic</pre>
<div
class="yiv0251227674qtdSeparateBR"><br
clear="none">
<br clear="none">
</div>
<div
class="yiv0251227674yqt8052708876"
id="yiv0251227674yqtfd88066"> </div>
</div>
</div>
<br clear="none">
<div
class="yiv0251227674yqt8052708876"
id="yiv0251227674yqtfd80175">_______________________________________________<br
clear="none">
App_rpt-users
mailing list<br
clear="none">
<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated" href="mailto:App_rpt-users@ohnosec.org">App_rpt-users@ohnosec.org</a><br
clear="none">
<a
moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a><br
clear="none">
<br clear="none">
To unsubscribe from
this list please
visit <a
moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a>
and scroll down to
the bottom of the
page. Enter your
email address and
press the
"Unsubscribe or edit
options button"<br
clear="none">
You do not need a
password to
unsubscribe, you can
do it via email
confirmation. If you
have trouble
unsubscribing,
please send a
message to the list
detailing the
problem. </div>
<br clear="none">
<br clear="none">
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<blockquote type="cite">
<div><span>_______________________________________________</span><br
clear="none">
<span>App_rpt-users mailing list</span><br
clear="none">
<span><a moz-do-not-send="true"
rel="nofollow" shape="rect"
ymailto="mailto:App_rpt-users@ohnosec.org" target="_blank"
href="mailto:App_rpt-users@ohnosec.org">App_rpt-users@ohnosec.org</a></span><br
clear="none">
<span><a moz-do-not-send="true"
rel="nofollow" shape="rect"
target="_blank"
href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a></span><br
clear="none">
<span></span><br clear="none">
<span>To unsubscribe from this
list please visit <a
moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a>
and scroll down to the bottom
of the page. Enter your email
address and press the
"Unsubscribe or edit options
button"</span><br clear="none">
<span>You do not need a password
to unsubscribe, you can do it
via email confirmation. If you
have trouble unsubscribing,
please send a message to the
list detailing the problem. </span></div>
</blockquote>
</div>
</div>
<br clear="none">
<br clear="none">
</div>
</div>
</div>
</div>
</div>
<pre>_______________________________________________
App_rpt-users mailing list
<a moz-do-not-send="true" rel="nofollow" shape="rect" class="yiv0251227674moz-txt-link-abbreviated" ymailto="mailto:App_rpt-users@ohnosec.org" target="_blank" href="mailto:App_rpt-users@ohnosec.org">App_rpt-users@ohnosec.org</a>
<a moz-do-not-send="true" rel="nofollow" shape="rect" class="yiv0251227674moz-txt-link-freetext" target="_blank" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a>
To unsubscribe from this list please visit <a moz-do-not-send="true" rel="nofollow" shape="rect" class="yiv0251227674moz-txt-link-freetext" target="_blank" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a> and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. </pre>
</blockquote>
<br clear="none">
</div>
</div>
<br>
<br>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
App_rpt-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:App_rpt-users@ohnosec.org">App_rpt-users@ohnosec.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a>
To unsubscribe from this list please visit <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a> and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. </pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
"Anything is possible if you don't know what you are talking about."
1st Law of Logic</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
App_rpt-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:App_rpt-users@ohnosec.org">App_rpt-users@ohnosec.org</a>
<a class="moz-txt-link-freetext" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a>
To unsubscribe from this list please visit <a class="moz-txt-link-freetext" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a> and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
</pre>
</blockquote>
</body>
</html>