<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Same difference. :)<br>
<br>
<br>
On 10/05/2015 07:30 PM, Loren Tedford wrote:<br>
</div>
<blockquote
cite="mid:CAK=eTygi2uR8RarcFurDi1B0rJsofAf+zgYbMT-5_5TGesSBLg@mail.gmail.com"
type="cite">
<div dir="ltr">Personally I use Fail2ban
<div><br>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div style="font-family:arial;font-size:small">Loren
Tedford (KC9ZHV) <br>
Email: <a moz-do-not-send="true"
href="mailto:lorentedford@gmail.com"
style="color:rgb(17,85,204)" target="_blank">lorentedford@gmail.com</a></div>
<div style="font-family:arial;font-size:small">Main
Line:1-631-686-8878 Option 1 for Loren.</div>
<div style="font-family:arial;font-size:small">Fax
Line 1:1-618-551-2755</div>
<div style="font-family:arial;font-size:small">Fax
Line 2:1-631-686-8892 (New Fax line)</div>
<div><font face="arial" size="2">Cell:
618-553-0806</font><br>
</div>
<div style="font-family:arial;font-size:small"><a
moz-do-not-send="true"
href="http://www.lorentedford.com/"
style="color:rgb(17,85,204)" target="_blank"><a class="moz-txt-link-freetext" href="http://www.lorentedford.com">http://www.lorentedford.com</a></a></div>
<div style="font-family:arial;font-size:small"><a
moz-do-not-send="true"
href="http://www.kc9zhv.com" target="_blank"><a class="moz-txt-link-freetext" href="http://www.kc9zhv.com">http://www.kc9zhv.com</a></a></div>
<div style="font-family:arial;font-size:small"><a
moz-do-not-send="true"
href="http://hub.kc9zhv.com" target="_blank"><a class="moz-txt-link-freetext" href="http://hub.kc9zhv.com">http://hub.kc9zhv.com</a></a></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Mon, Oct 5, 2015 at 9:06 PM, Stacy <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:kg7qin@arrl.net" target="_blank">kg7qin@arrl.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Certificates, two-factor authentication and something
like ssh-guard set to block on the first three attempts
with a really really long block threshold. <br>
<span class="HOEnZb"><font color="#888888"> <br>
Stacy<br>
KG7QIN</font></span>
<div>
<div class="h5"><br>
<br>
On 10/05/2015 02:57 PM, Steven Donegan wrote:<br>
</div>
</div>
</div>
<div>
<div class="h5">
<blockquote type="cite">
<div
style="color:#000;background-color:#fff;font-family:HelveticaNeue-Light,Helvetica
Neue Light,Helvetica Neue,Helvetica,Arial,Lucida
Grande,sans-serif;font-size:16px">Using
certificates for ssh is yet another method :-) <br>
<div><span></span></div>
<div> </div>
<div>Steven Donegan<br>
KK6IVC General Class FCC License<br>
Silver State Car #86<br>
<a moz-do-not-send="true"
href="http://www.sscc.us" target="_blank">www.sscc.us</a></div>
<br>
<div
style="font-family:HelveticaNeue-Light,Helvetica
Neue Light,Helvetica Neue,Helvetica,Arial,Lucida
Grande,sans-serif;font-size:16px">
<div style="font-family:HelveticaNeue,Helvetica
Neue,Helvetica,Arial,Lucida
Grande,sans-serif;font-size:16px">
<div dir="ltr">
<hr size="1"> <font face="Arial" size="2">
<b><span style="font-weight:bold">From:</span></b>
Bryan D. Boyle <a moz-do-not-send="true"
href="mailto:bdboyle@bdboyle.com"
target="_blank"><bdboyle@bdboyle.com></a><br>
<b><span style="font-weight:bold">To:</span></b>
Steven Donegan <a moz-do-not-send="true"
href="mailto:donegan@donegan.org"
target="_blank"><donegan@donegan.org></a>
<br>
<b><span style="font-weight:bold">Cc:</span></b>
Steve Zingman <a moz-do-not-send="true"
href="mailto:szingman@msgstor.com"
target="_blank"><szingman@msgstor.com></a>;
<a moz-do-not-send="true"
href="mailto:app_rpt-users@ohnosec.org"
target="_blank">"app_rpt-users@ohnosec.org"</a>
<a moz-do-not-send="true"
href="mailto:app_rpt-users@ohnosec.org"
target="_blank"><app_rpt-users@ohnosec.org></a>
<br>
<b><span style="font-weight:bold">Sent:</span></b>
Monday, October 5, 2015 2:49 PM<br>
<b><span style="font-weight:bold">Subject:</span></b>
Re: [App_rpt-users] New Official Allstar
Distribution Released (DIAL)<br>
</font> </div>
<div><br>
<div>
<div>
<div>Using a jump box as you describe is
one way...not allowing SSH from the
outside adds a layer; setting up a
secue VDI capability to the jumpbox
over a vpn is yet a third way...;). </div>
<div><br clear="none">
</div>
<div>my rule: if it's exposed to the
net, it's potentially vulnerable.
Just turn on your SIP port and pop
some popcorn to see...;)<br
clear="none">
<br clear="none">
--
<div>Bryan</div>
<div>Sent from my iPhone 5.<span
style="font-size:13pt">..No
electrons were harmed in the
sending of this message.</span></div>
<div><br clear="none">
<div><br clear="none">
</div>
</div>
</div>
<div><br>
<br>
</div>
<div>
<div><br clear="none">
On Oct 5, 2015, at 17:39, Steven
Donegan <<a
moz-do-not-send="true"
href="mailto:donegan@donegan.org"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:donegan@donegan.org">donegan@donegan.org</a></a>>
wrote:<br clear="none">
<br clear="none">
</div>
<blockquote type="cite">
<div>
<div
style="color:#000;background-color:#fff;font-family:HelveticaNeue-Light,Helvetica
Neue Light,Helvetica
Neue,Helvetica,Arial,Lucida
Grande,sans-serif;font-size:16px">
<div>Direct root login being
disallowed IF there were no
other way to get full root
privileges (not the case here)
was considered best practice.
However in almost every case
there is a user (on Raspbian
user pi) that can simply
login, sudo -s and do whatever
they want. Yes it puts up a
small hurdle but I don't see
it as a serious one.</div>
<div><br clear="none">
</div>
<div>In short, there is almost
no setup that will allow you
to completely lock out root
with the exception of a few
well designed appliances. And
that means someone is out
there doing support to get
things resolved. This system
is not of that flavor and root
is necessary for many things
so frankly adding a hurdle or
two really doesn't appreciably
make the system more secure.</div>
<div><br clear="none">
</div>
<div>Require a long pass phrase
(say 20 mixed characters or
so) and this whole thing is
moot...</div>
<div><br clear="none">
</div>
<div>And BTW - putting sshd on
port 222 (or anything except
22) is security by obscurity -
many tools can find standard
protocols on non-standard
ports :-) (I know, I wrote
one)<br clear="none">
</div>
<div><br clear="none">
</div>
<div>The best bet is to not
allow ssh at all. If that is
not feasible then do the su or
sudo thing and/or set up an
intermediate system such that
you access a non-privileged
account on system A, then ssh
to system B and system B will
ONLY accept ssh from system A.
Still can be beaten but it is
a bit harder...</div>
<div><br clear="none">
</div>
<div>And BTW - I have done
infosec for about 20 years so
I am allowed to have an
opinion on this topic :-)<br
clear="none">
</div>
<div><span></span></div>
<div> </div>
<div>Steven Donegan<br
clear="none">
KK6IVC General Class FCC
License<br clear="none">
Silver State Car #86<br
clear="none">
<a moz-do-not-send="true"
rel="nofollow" shape="rect"
href="http://www.sscc.us/"
target="_blank">www.sscc.us</a></div>
<br clear="none">
<div
style="font-family:HelveticaNeue-Light,Helvetica
Neue Light,Helvetica
Neue,Helvetica,Arial,Lucida
Grande,sans-serif;font-size:16px">
<div
style="font-family:HelveticaNeue,Helvetica
Neue,Helvetica,Arial,Lucida
Grande,sans-serif;font-size:16px">
<div dir="ltr">
<hr size="1"> <font
face="Arial" size="2"> <b><span
style="font-weight:bold">From:</span></b> Steve Zingman <<a
moz-do-not-send="true"
href="mailto:szingman@msgstor.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:szingman@msgstor.com">szingman@msgstor.com</a></a>><br
clear="none">
<b><span
style="font-weight:bold">To:</span></b>
"<a
moz-do-not-send="true"
rel="nofollow"
shape="rect"
href="mailto:app_rpt-users@ohnosec.org"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:app_rpt-users@ohnosec.org">app_rpt-users@ohnosec.org</a></a>"
<<a
moz-do-not-send="true"
rel="nofollow"
shape="rect"
href="mailto:app_rpt-users@ohnosec.org"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:app_rpt-users@ohnosec.org">app_rpt-users@ohnosec.org</a></a>>
<br clear="none">
<b><span
style="font-weight:bold">Sent:</span></b>
Monday, October 5, 2015
2:24 PM<br clear="none">
<b><span
style="font-weight:bold">Subject:</span></b>
[App_rpt-users] New
Official Allstar
Distribution Released
(DIAL)<br clear="none">
</font> </div>
<div><br clear="none">
<div>
<div> </div>
<div>
<pre style="white-space:pre-wrap;color:rgb(0,0,0);font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;word-spacing:0px">Dave,
Let's say I agree with you. And I well may.
On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN.
I agree is common practice to not allow it.
Now the question is why?
As John McLaughlin would say, DISCUSS!
On 10/05/2015 08:40 AM, Steve Zingman wrote:
><i> root login via SSH is now allowed
</i>
> This is a bad idea. Root should *never* be allowed to login to a system
> remotely. It's better to log in as a normal user and then become root
> via su, sudo, etc.
> - Dave
</pre>
<br clear="none">
<pre>--
"Anything is possible if you don't know what you are talking about."
1st Law of Logic</pre>
<div><br clear="none">
<br clear="none">
</div>
<div> </div>
</div>
</div>
<br clear="none">
<div>_______________________________________________<br
clear="none">
App_rpt-users mailing
list<br clear="none">
<a
moz-do-not-send="true"
rel="nofollow"
shape="rect"
href="mailto:App_rpt-users@ohnosec.org"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:App_rpt-users@ohnosec.org">App_rpt-users@ohnosec.org</a></a><br
clear="none">
<a
moz-do-not-send="true"
rel="nofollow"
shape="rect"
href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users"
target="_blank"><a class="moz-txt-link-freetext" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a></a><br
clear="none">
<br clear="none">
To unsubscribe from this
list please visit <a
moz-do-not-send="true"
rel="nofollow"
shape="rect"
href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users"
target="_blank"><a class="moz-txt-link-freetext" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a>
</a>and scroll down to
the bottom of the page.
Enter your email address
and press the
"Unsubscribe or edit
options button"<br
clear="none">
You do not need a
password to unsubscribe,
you can do it via email
confirmation. If you
have trouble
unsubscribing, please
send a message to the
list detailing the
problem. </div>
<br clear="none">
<br clear="none">
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<blockquote type="cite">
<div><span>_______________________________________________</span><br
clear="none">
<span>App_rpt-users mailing list</span><br
clear="none">
<span><a moz-do-not-send="true"
rel="nofollow" shape="rect"
href="mailto:App_rpt-users@ohnosec.org"
target="_blank">App_rpt-users@ohnosec.org</a></span><br
clear="none">
<span><a moz-do-not-send="true"
rel="nofollow" shape="rect"
href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users"
target="_blank">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a></span><br
clear="none">
<span></span><br clear="none">
<span>To unsubscribe from this list
please visit <a
moz-do-not-send="true"
href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users"
target="_blank"><a class="moz-txt-link-freetext" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a></a>
and scroll down to the bottom of
the page. Enter your email address
and press the "Unsubscribe or edit
options button"</span><br
clear="none">
<span>You do not need a password to
unsubscribe, you can do it via
email confirmation. If you have
trouble unsubscribing, please send
a message to the list detailing
the problem. </span></div>
</blockquote>
</div>
</div>
<br>
<br>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
App_rpt-users mailing list
<a moz-do-not-send="true" href="mailto:App_rpt-users@ohnosec.org" target="_blank">App_rpt-users@ohnosec.org</a>
<a moz-do-not-send="true" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users" target="_blank">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a>
To unsubscribe from this list please visit <a moz-do-not-send="true" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users" target="_blank">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a> and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. </pre>
</blockquote>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
App_rpt-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:App_rpt-users@ohnosec.org">App_rpt-users@ohnosec.org</a><br>
<a moz-do-not-send="true"
href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users"
rel="noreferrer" target="_blank">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a><br>
<br>
To unsubscribe from this list please visit <a
moz-do-not-send="true"
href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users"
rel="noreferrer" target="_blank"><a class="moz-txt-link-freetext" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a></a>
and scroll down to the bottom of the page. Enter your email
address and press the "Unsubscribe or edit options button"<br>
You do not need a password to unsubscribe, you can do it via
email confirmation. If you have trouble unsubscribing,
please send a message to the list detailing the problem. <br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>