<div dir="ltr">Personally I use Fail2ban <div><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="font-family:arial;font-size:small">Loren Tedford (KC9ZHV) <br>Email: <a href="mailto:lorentedford@gmail.com" style="color:rgb(17,85,204)" target="_blank">lorentedford@gmail.com</a></div><div style="font-family:arial;font-size:small">Main Line:1-631-686-8878 Option 1 for Loren.</div><div style="font-family:arial;font-size:small">Fax Line 1:1-618-551-2755</div><div style="font-family:arial;font-size:small">Fax Line 2:1-631-686-8892 (New Fax line)</div><div><font face="arial" size="2">Cell: 618-553-0806</font><br></div><div style="font-family:arial;font-size:small"><a href="http://www.lorentedford.com/" style="color:rgb(17,85,204)" target="_blank">http://www.lorentedford.com</a></div><div style="font-family:arial;font-size:small"><a href="http://www.kc9zhv.com" target="_blank">http://www.kc9zhv.com</a></div><div style="font-family:arial;font-size:small"><a href="http://hub.kc9zhv.com" target="_blank">http://hub.kc9zhv.com</a></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Mon, Oct 5, 2015 at 9:06 PM, Stacy <span dir="ltr"><<a href="mailto:kg7qin@arrl.net" target="_blank">kg7qin@arrl.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Certificates, two-factor authentication
and something like ssh-guard set to block on the first three
attempts with a really really long block threshold. <br><span class="HOEnZb"><font color="#888888">
<br>
Stacy<br>
KG7QIN</font></span><div><div class="h5"><br>
<br>
On 10/05/2015 02:57 PM, Steven Donegan wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<div style="color:#000;background-color:#fff;font-family:HelveticaNeue-Light,Helvetica Neue Light,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif;font-size:16px">Using certificates for ssh is yet
another method :-) <br>
<div><span></span></div>
<div> </div>
<div>Steven
Donegan<br>
KK6IVC General Class FCC License<br>
Silver State Car #86<br>
<a href="http://www.sscc.us" target="_blank">www.sscc.us</a></div>
<br>
<div style="font-family:HelveticaNeue-Light,Helvetica Neue Light,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif;font-size:16px">
<div style="font-family:HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif;font-size:16px">
<div dir="ltr">
<hr size="1"> <font face="Arial" size="2"> <b><span style="font-weight:bold">From:</span></b> Bryan D.
Boyle <a href="mailto:bdboyle@bdboyle.com" target="_blank"><bdboyle@bdboyle.com></a><br>
<b><span style="font-weight:bold">To:</span></b>
Steven Donegan <a href="mailto:donegan@donegan.org" target="_blank"><donegan@donegan.org></a> <br>
<b><span style="font-weight:bold">Cc:</span></b> Steve
Zingman <a href="mailto:szingman@msgstor.com" target="_blank"><szingman@msgstor.com></a>;
<a href="mailto:app_rpt-users@ohnosec.org" target="_blank">"app_rpt-users@ohnosec.org"</a>
<a href="mailto:app_rpt-users@ohnosec.org" target="_blank"><app_rpt-users@ohnosec.org></a> <br>
<b><span style="font-weight:bold">Sent:</span></b>
Monday, October 5, 2015 2:49 PM<br>
<b><span style="font-weight:bold">Subject:</span></b>
Re: [App_rpt-users] New Official Allstar Distribution
Released (DIAL)<br>
</font> </div>
<div><br>
<div>
<div>
<div>Using a
jump box as you describe is one way...not allowing
SSH from the outside adds a layer; setting up a
secue VDI capability to the jumpbox over a vpn is
yet a third way...;). </div>
<div><br clear="none">
</div>
<div>my rule: if
it's exposed to the net, it's potentially
vulnerable. Just turn on your SIP port and pop some
popcorn to see...;)<br clear="none">
<br clear="none">
--
<div>Bryan</div>
<div>Sent from my iPhone 5.<span style="font-size:13pt">..No electrons were
harmed in the sending of this message.</span></div>
<div><br clear="none">
<div><br clear="none">
</div>
</div>
</div>
<div><br>
<br>
</div>
<div>
<div><br clear="none">
On Oct 5, 2015, at 17:39, Steven Donegan <<a rel="nofollow" shape="rect" href="mailto:donegan@donegan.org" target="_blank"></a><a href="mailto:donegan@donegan.org" target="_blank">donegan@donegan.org</a>>
wrote:<br clear="none">
<br clear="none">
</div>
<blockquote type="cite">
<div>
<div style="color:#000;background-color:#fff;font-family:HelveticaNeue-Light,Helvetica Neue Light,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif;font-size:16px">
<div>Direct
root login being disallowed IF there were no
other way to get full root privileges (not
the case here) was considered best practice.
However in almost every case there is a user
(on Raspbian user pi) that can simply login,
sudo -s and do whatever they want. Yes it
puts up a small hurdle but I don't see it as
a serious one.</div>
<div><br clear="none">
</div>
<div>In
short, there is almost no setup that will
allow you to completely lock out root with
the exception of a few well designed
appliances. And that means someone is out
there doing support to get things resolved.
This system is not of that flavor and root
is necessary for many things so frankly
adding a hurdle or two really doesn't
appreciably make the system more secure.</div>
<div><br clear="none">
</div>
<div>Require
a long pass phrase (say 20 mixed characters
or so) and this whole thing is moot...</div>
<div><br clear="none">
</div>
<div>And
BTW - putting sshd on port 222 (or anything
except 22) is security by obscurity - many
tools can find standard protocols on
non-standard ports :-) (I know, I wrote one)<br clear="none">
</div>
<div><br clear="none">
</div>
<div>The
best bet is to not allow ssh at all. If that
is not feasible then do the su or sudo thing
and/or set up an intermediate system such
that you access a non-privileged account on
system A, then ssh to system B and system B
will ONLY accept ssh from system A. Still
can be beaten but it is a bit harder...</div>
<div><br clear="none">
</div>
<div>And
BTW - I have done infosec for about 20 years
so I am allowed to have an opinion on this
topic :-)<br clear="none">
</div>
<div><span></span></div>
<div> </div>
<div>Steven
Donegan<br clear="none">
KK6IVC General Class FCC License<br clear="none">
Silver State Car #86<br clear="none">
<a rel="nofollow" shape="rect" href="http://www.sscc.us/" target="_blank">www.sscc.us</a></div>
<br clear="none">
<div style="font-family:HelveticaNeue-Light,Helvetica Neue Light,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif;font-size:16px">
<div style="font-family:HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif;font-size:16px">
<div dir="ltr">
<hr size="1"> <font face="Arial" size="2"> <b><span style="font-weight:bold">From:</span></b>
Steve Zingman <<a rel="nofollow" shape="rect" href="mailto:szingman@msgstor.com" target="_blank"></a><a href="mailto:szingman@msgstor.com" target="_blank">szingman@msgstor.com</a>><br clear="none">
<b><span style="font-weight:bold">To:</span></b>
"<a rel="nofollow" shape="rect" href="mailto:app_rpt-users@ohnosec.org" target="_blank">app_rpt-users@ohnosec.org</a>"
<<a rel="nofollow" shape="rect" href="mailto:app_rpt-users@ohnosec.org" target="_blank">app_rpt-users@ohnosec.org</a>>
<br clear="none">
<b><span style="font-weight:bold">Sent:</span></b>
Monday, October 5, 2015 2:24 PM<br clear="none">
<b><span style="font-weight:bold">Subject:</span></b>
[App_rpt-users] New Official Allstar
Distribution Released (DIAL)<br clear="none">
</font> </div>
<div><br clear="none">
<div>
<div> </div>
<div>
<pre style="white-space:pre-wrap;color:rgb(0,0,0);font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;word-spacing:0px">Dave,
Let's say I agree with you. And I well may.
On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN.
I agree is common practice to not allow it.
Now the question is why?
As John McLaughlin would say, DISCUSS!
On 10/05/2015 08:40 AM, Steve Zingman wrote:
><i> root login via SSH is now allowed
</i>
> This is a bad idea. Root should *never* be allowed to login to a system
> remotely. It's better to log in as a normal user and then become root
> via su, sudo, etc.
> - Dave
</pre>
<br clear="none">
<pre>--
"Anything is possible if you don't know what you are talking about."
1st Law of Logic</pre>
<div><br clear="none">
<br clear="none">
</div>
<div> </div>
</div>
</div>
<br clear="none">
<div>_______________________________________________<br clear="none">
App_rpt-users mailing list<br clear="none">
<a rel="nofollow" shape="rect" href="mailto:App_rpt-users@ohnosec.org" target="_blank">App_rpt-users@ohnosec.org</a><br clear="none">
<a rel="nofollow" shape="rect" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users" target="_blank">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a><br clear="none">
<br clear="none">
To unsubscribe from this list please
visit <a rel="nofollow" shape="rect" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users" target="_blank">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
</a>and scroll down to the bottom of
the page. Enter your email address and
press the "Unsubscribe or edit options
button"<br clear="none">
You do not need a password to
unsubscribe, you can do it via email
confirmation. If you have trouble
unsubscribing, please send a message
to the list detailing the problem. </div>
<br clear="none">
<br clear="none">
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<blockquote type="cite">
<div><span>_______________________________________________</span><br clear="none">
<span>App_rpt-users mailing list</span><br clear="none">
<span><a rel="nofollow" shape="rect" href="mailto:App_rpt-users@ohnosec.org" target="_blank">App_rpt-users@ohnosec.org</a></span><br clear="none">
<span><a rel="nofollow" shape="rect" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users" target="_blank">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a></span><br clear="none">
<span></span><br clear="none">
<span>To unsubscribe from this list please visit <a rel="nofollow" shape="rect" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users" target="_blank"></a><a href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users" target="_blank">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a>
and scroll down to the bottom of the page. Enter
your email address and press the "Unsubscribe or
edit options button"</span><br clear="none">
<span>You do not need a password to unsubscribe,
you can do it via email confirmation. If you
have trouble unsubscribing, please send a
message to the list detailing the problem. </span></div>
</blockquote>
</div>
</div>
<br>
<br>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
App_rpt-users mailing list
<a href="mailto:App_rpt-users@ohnosec.org" target="_blank">App_rpt-users@ohnosec.org</a>
<a href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users" target="_blank">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a>
To unsubscribe from this list please visit <a href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users" target="_blank">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a> and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. </pre>
</blockquote>
<br>
</div></div></div>
<br>_______________________________________________<br>
App_rpt-users mailing list<br>
<a href="mailto:App_rpt-users@ohnosec.org">App_rpt-users@ohnosec.org</a><br>
<a href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users" rel="noreferrer" target="_blank">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a><br>
<br>
To unsubscribe from this list please visit <a href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users" rel="noreferrer" target="_blank">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a> and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"<br>
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. <br></blockquote></div><br></div>