<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue-Light, Helvetica Neue Light, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div id="yui_3_16_0_1_1443990021550_87597" dir="ltr">5038 is asterisk management port - I would suggest for hardening that 222 (whatever port is selected for ssh) and 4569 be firewalled tightly and 5038 kept totally local. But this is all food for further discussion :-)</div><div id="yui_3_16_0_1_1443990021550_87811" dir="ltr"><br></div><div dir="ltr">Not having a currently running Debian system handy - does it use iptables or firewalld? I have set up both in a scripted fashion before.<br></div><div id="yui_3_16_0_1_1443990021550_87518"><span></span></div><div id="yui_3_16_0_1_1443990021550_87519"> </div><div id="yui_3_16_0_1_1443990021550_87520" class="signature">Steven Donegan<br>KK6IVC General Class FCC License<br>Silver State Car #86<br>www.sscc.us</div><br> <div id="yui_3_16_0_1_1443990021550_87814" style="font-family: HelveticaNeue-Light, Helvetica Neue Light, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_1_1443990021550_87813" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_1_1443990021550_87812" dir="ltr"> <hr id="yui_3_16_0_1_1443990021550_87965" size="1"> <font id="yui_3_16_0_1_1443990021550_87815" face="Arial" size="2"> <b><span style="font-weight:bold;">From:</span></b> Steve Zingman <szingman@msgstor.com><br> <b><span style="font-weight: bold;">To:</span></b> Steven Donegan <donegan@donegan.org> <br><b><span style="font-weight: bold;">Cc:</span></b> "app_rpt-users@ohnosec.org" <app_rpt-users@ohnosec.org> <br> <b><span style="font-weight: bold;">Sent:</span></b> Monday, October 5, 2015 4:38 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Node security<br> </font> </div> <div id="yui_3_16_0_1_1443990021550_87816" class="y_msg_container"><br><div id="yiv4753716635"><div>
As of right now it's listening to 222 and 5038 on 127.0.0.1 TCP<br clear="none">
and 4569 on UDP.<br clear="none">
<br clear="none">
That's all.<br clear="none">
<br clear="none">
<div class="qtdSeparateBR"><br><br></div><div class="yiv4753716635yqt8111012284" id="yiv4753716635yqt40981"><div class="yiv4753716635moz-cite-prefix">On 10/05/2015 07:15 PM, Steven Donegan
wrote:<br clear="none">
</div>
<blockquote type="cite">
<div style="color:#000;background-color:#fff;font-family:HelveticaNeue-Light, Helvetica Neue Light, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;">
<div dir="ltr" id="yiv4753716635yui_3_16_0_1_1443990021550_83439">Let me spin
up one of the DIAL setups - may take me a day - then see what
is enabled by default and hardening will be 'easy' (no
processes/ports active not absolutely required). Adding the CA
stuff will be easy as well if desired. Whatever the overall
direction is I can do security stuff :-)<br clear="none">
</div>
<div id="yiv4753716635yui_3_16_0_1_1443990021550_83330"><span></span></div>
<div id="yiv4753716635yui_3_16_0_1_1443990021550_83216"> </div>
<div class="yiv4753716635signature" id="yiv4753716635yui_3_16_0_1_1443990021550_83203">Steven
Donegan<br clear="none">
KK6IVC General Class FCC License<br clear="none">
Silver State Car #86<br clear="none">
<a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-abbreviated" target="_blank" href="http://www.sscc.us/">www.sscc.us</a></div>
<br clear="none">
<div id="yiv4753716635yui_3_16_0_1_1443990021550_83442" style="font-family:HelveticaNeue-Light, Helvetica Neue Light, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;">
<div id="yiv4753716635yui_3_16_0_1_1443990021550_83441" style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;">
<div dir="ltr" id="yiv4753716635yui_3_16_0_1_1443990021550_83440">
<hr size="1"> <font id="yiv4753716635yui_3_16_0_1_1443990021550_83443" face="Arial" size="2"> <b><span style="font-weight:bold;">From:</span></b> Steve
Zingman <a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-rfc2396E" ymailto="mailto:szingman@msgstor.com" target="_blank" href="mailto:szingman@msgstor.com"><szingman@msgstor.com></a><br clear="none">
<b><span style="font-weight:bold;">To:</span></b>
Steven Donegan <a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-rfc2396E" ymailto="mailto:donegan@donegan.org" target="_blank" href="mailto:donegan@donegan.org"><donegan@donegan.org></a>; David
Andrzejewski <a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-rfc2396E" ymailto="mailto:david@davidandrzejewski.com" target="_blank" href="mailto:david@davidandrzejewski.com"><david@davidandrzejewski.com></a> <br clear="none">
<b><span style="font-weight:bold;">Cc:</span></b>
<a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-rfc2396E" ymailto="mailto:app_rpt-users@ohnosec.org" target="_blank" href="mailto:app_rpt-users@ohnosec.org">"app_rpt-users@ohnosec.org"</a>
<a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-rfc2396E" ymailto="mailto:app_rpt-users@ohnosec.org" target="_blank" href="mailto:app_rpt-users@ohnosec.org"><app_rpt-users@ohnosec.org></a> <br clear="none">
<b><span style="font-weight:bold;">Sent:</span></b>
Monday, October 5, 2015 4:04 PM<br clear="none">
<b><span style="font-weight:bold;">Subject:</span></b>
Re: [App_rpt-users] New Official Allstar Distribution
Released (DIAL)<br clear="none">
</font> </div>
<div class="yiv4753716635y_msg_container" id="yiv4753716635yui_3_16_0_1_1443990021550_83444"><br clear="none">
<div id="yiv4753716635">
<div id="yiv4753716635yui_3_16_0_1_1443990021550_83445"> Sure,<br clear="none">
I think a hardening script might be in order (and
optional).<br clear="none">
<br clear="none">
<div class="yiv4753716635qtdSeparateBR"><br clear="none">
<br clear="none">
</div>
<div class="yiv4753716635yqt9120962000" id="yiv4753716635yqt52579">
<div class="yiv4753716635moz-cite-prefix">On
10/05/2015 06:55 PM, Steven Donegan wrote:<br clear="none">
</div>
<blockquote type="cite">
<div style="color:#000;background-color:#fff;font-family:HelveticaNeue-Light, Helvetica Neue Light, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;">BTW - I have a
script to make a *NIX box a CA and generate
certificates - that could easily be added to the
DIAL/Pi/etc releases - let me see if I can
scrounge it up :-) Assuming anyone would want
that ability and Steve is OK with it :-)<br clear="none">
<div id="yiv4753716635yui_3_16_0_1_1443990021550_80415"><span></span></div>
<div id="yiv4753716635yui_3_16_0_1_1443990021550_80416"> </div>
<div class="yiv4753716635signature" id="yiv4753716635yui_3_16_0_1_1443990021550_80482">Steven
Donegan<br clear="none">
KK6IVC General Class FCC License<br clear="none">
Silver State Car #86<br clear="none">
<a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-abbreviated" target="_blank" href="http://www.sscc.us/">www.sscc.us</a></div>
<br clear="none">
<div id="yiv4753716635yui_3_16_0_1_1443990021550_80485" style="font-family:HelveticaNeue-Light, Helvetica Neue Light, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;">
<div id="yiv4753716635yui_3_16_0_1_1443990021550_80484" style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;">
<div dir="ltr" id="yiv4753716635yui_3_16_0_1_1443990021550_80483">
<hr id="yiv4753716635yui_3_16_0_1_1443990021550_80529" size="1"> <font id="yiv4753716635yui_3_16_0_1_1443990021550_80486" face="Arial" size="2"> <b><span style="font-weight:bold;">From:</span></b>
David Andrzejewski <a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-rfc2396E" ymailto="mailto:david@davidandrzejewski.com" target="_blank" href="mailto:david@davidandrzejewski.com"></a><a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-rfc2396E" ymailto="mailto:david@davidandrzejewski.com" target="_blank" href="mailto:david@davidandrzejewski.com"><david@davidandrzejewski.com></a><br clear="none">
<b><span style="font-weight:bold;">To:</span></b>
Steven Donegan <a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-rfc2396E" ymailto="mailto:donegan@donegan.org" target="_blank" href="mailto:donegan@donegan.org"></a><a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-rfc2396E" ymailto="mailto:donegan@donegan.org" target="_blank" href="mailto:donegan@donegan.org"><donegan@donegan.org></a>
<br clear="none">
<b><span style="font-weight:bold;">Cc:</span></b>
Bryan D. Boyle <a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-rfc2396E" ymailto="mailto:bdboyle@bdboyle.com" target="_blank" href="mailto:bdboyle@bdboyle.com"></a><a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-rfc2396E" ymailto="mailto:bdboyle@bdboyle.com" target="_blank" href="mailto:bdboyle@bdboyle.com"><bdboyle@bdboyle.com></a>;
<a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-rfc2396E" ymailto="mailto:app_rpt-users@ohnosec.org" target="_blank" href="mailto:app_rpt-users@ohnosec.org">"app_rpt-users@ohnosec.org"</a>
<a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-rfc2396E" ymailto="mailto:app_rpt-users@ohnosec.org" target="_blank" href="mailto:app_rpt-users@ohnosec.org"><app_rpt-users@ohnosec.org></a>
<br clear="none">
<b><span style="font-weight:bold;">Sent:</span></b>
Monday, October 5, 2015 3:50 PM<br clear="none">
<b id="yiv4753716635yui_3_16_0_1_1443990021550_80488"><span id="yiv4753716635yui_3_16_0_1_1443990021550_80487" style="font-weight:bold;">Subject:</span></b>
Re: [App_rpt-users] New Official Allstar
Distribution Released (DIAL)<br clear="none">
</font> </div>
<div class="yiv4753716635y_msg_container" id="yiv4753716635yui_3_16_0_1_1443990021550_80489"><br clear="none">
<div id="yiv4753716635">
<div id="yiv4753716635yui_3_16_0_1_1443990021550_80490">Yep
- disallowing keyboard-interactive and
accepting only certificates. I turn
off PermitRootLogin and only allow
certificates. Barring some kind of
exploit in sshd, that ought to be
secure enough.<br clear="none">
<br clear="none">
<span>Steven Donegan wrote:</span><br clear="none">
<blockquote type="cite">
<div class="yiv4753716635qtdSeparateBR"><br clear="none">
<br clear="none">
</div>
<div class="yiv4753716635yqt4126216668" id="yiv4753716635yqt02654">
<div style="color:#000;background-color:#fff;font-family:HelveticaNeue-Light, Helvetica Neue Light, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;">Using
certificates for ssh is yet
another method :-) <br clear="none">
<div id="yiv4753716635yui_3_16_0_1_1443990021550_67368"><span></span></div>
<div id="yiv4753716635yui_3_16_0_1_1443990021550_67369"> </div>
<div class="yiv4753716635signature" id="yiv4753716635yui_3_16_0_1_1443990021550_67423">Steven Donegan<br clear="none">
KK6IVC General Class FCC
License<br clear="none">
Silver State Car #86<br clear="none">
<a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-abbreviated" target="_blank" href="http://www.sscc.us/">www.sscc.us</a></div>
<br clear="none">
<div id="yiv4753716635yui_3_16_0_1_1443990021550_67426" style="font-family:HelveticaNeue-Light, Helvetica Neue Light, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;">
<div id="yiv4753716635yui_3_16_0_1_1443990021550_67425" style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;">
<div dir="ltr" id="yiv4753716635yui_3_16_0_1_1443990021550_67424">
<hr size="1"> <font face="Arial" size="2"> <b><span style="font-weight:bold;">From:</span></b> Bryan D. Boyle <a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-rfc2396E" ymailto="mailto:bdboyle@bdboyle.com" target="_blank" href="mailto:bdboyle@bdboyle.com"></a><a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-rfc2396E" ymailto="mailto:bdboyle@bdboyle.com" target="_blank" href="mailto:bdboyle@bdboyle.com"><bdboyle@bdboyle.com></a><br clear="none">
<b><span style="font-weight:bold;">To:</span></b>
Steven Donegan <a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-rfc2396E" ymailto="mailto:donegan@donegan.org" target="_blank" href="mailto:donegan@donegan.org"></a><a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-rfc2396E" ymailto="mailto:donegan@donegan.org" target="_blank" href="mailto:donegan@donegan.org"><donegan@donegan.org></a>
<br clear="none">
<b><span style="font-weight:bold;">Cc:</span></b>
Steve Zingman <a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-rfc2396E" ymailto="mailto:szingman@msgstor.com" target="_blank" href="mailto:szingman@msgstor.com"></a><a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-rfc2396E" ymailto="mailto:szingman@msgstor.com" target="_blank" href="mailto:szingman@msgstor.com"><szingman@msgstor.com></a>;
<a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-rfc2396E" ymailto="mailto:app_rpt-users@ohnosec.org" target="_blank" href="mailto:app_rpt-users@ohnosec.org"></a><a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-rfc2396E" ymailto="mailto:app_rpt-users@ohnosec.org" target="_blank" href="mailto:app_rpt-users@ohnosec.org">"app_rpt-users@ohnosec.org"</a>
<a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-rfc2396E" ymailto="mailto:app_rpt-users@ohnosec.org" target="_blank" href="mailto:app_rpt-users@ohnosec.org"></a><a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-rfc2396E" ymailto="mailto:app_rpt-users@ohnosec.org" target="_blank" href="mailto:app_rpt-users@ohnosec.org"><app_rpt-users@ohnosec.org></a>
<br clear="none">
<b><span style="font-weight:bold;">Sent:</span></b>
Monday, October 5, 2015
2:49 PM<br clear="none">
<b><span style="font-weight:bold;">Subject:</span></b>
Re: [App_rpt-users] New
Official Allstar
Distribution Released
(DIAL)<br clear="none">
</font> </div>
<div class="yiv4753716635y_msg_container" id="yiv4753716635yui_3_16_0_1_1443990021550_67427"><br clear="none">
<div id="yiv4753716635">
<div id="yiv4753716635yui_3_16_0_1_1443990021550_67429">
<div id="yiv4753716635yui_3_16_0_1_1443990021550_67428">Using
a jump box as you
describe is one
way...not allowing
SSH from the outside
adds a layer;
setting up a secue
VDI capability to
the jumpbox over a
vpn is yet a third
way...;). </div>
<div id="yiv4753716635AppleMailSignature"><br clear="none">
</div>
<div id="yiv4753716635AppleMailSignature">my
rule: if it's
exposed to the net,
it's potentially
vulnerable. Just
turn on your SIP
port and pop some
popcorn to see...;)<br clear="none">
<br clear="none">
--
<div>Bryan</div>
<div>Sent from my
iPhone 5.<span style="font-size:13pt;">..No
electrons were
harmed in the
sending of this
message.</span></div>
<div><br clear="none">
<div><br clear="none">
</div>
</div>
</div>
<div class="yiv4753716635qtdSeparateBR"><br clear="none">
<br clear="none">
</div>
<div class="yiv4753716635yqt0199404845" id="yiv4753716635yqt51679">
<div><br clear="none">
On Oct 5, 2015, at
17:39, Steven
Donegan <<a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-abbreviated" ymailto="mailto:donegan@donegan.org" target="_blank" href="mailto:donegan@donegan.org"></a><a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-abbreviated" ymailto="mailto:donegan@donegan.org" target="_blank" href="mailto:donegan@donegan.org">donegan@donegan.org</a>>
wrote:<br clear="none">
<br clear="none">
</div>
<blockquote type="cite">
<div>
<div style="color:#000;background-color:#fff;font-family:HelveticaNeue-Light, Helvetica Neue Light, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;">
<div id="yiv4753716635yui_3_16_0_1_1443990021550_65382">Direct
root login
being
disallowed IF
there were no
other way to
get full root
privileges
(not the case
here) was
considered
best practice.
However in
almost every
case there is
a user (on
Raspbian user
pi) that can
simply login,
sudo -s and do
whatever they
want. Yes it
puts up a
small hurdle
but I don't
see it as a
serious one.</div>
<div><br clear="none">
</div>
<div id="yiv4753716635yui_3_16_0_1_1443990021550_65659">In
short, there
is almost no
setup that
will allow you
to completely
lock out root
with the
exception of a
few well
designed
appliances.
And that means
someone is out
there doing
support to get
things
resolved. This
system is not
of that flavor
and root is
necessary for
many things so
frankly adding
a hurdle or
two really
doesn't
appreciably
make the
system more
secure.</div>
<div id="yiv4753716635yui_3_16_0_1_1443990021550_65660"><br clear="none">
</div>
<div id="yiv4753716635yui_3_16_0_1_1443990021550_65661">Require
a long pass
phrase (say 20
mixed
characters or
so) and this
whole thing is
moot...</div>
<div id="yiv4753716635yui_3_16_0_1_1443990021550_65662"><br clear="none">
</div>
<div id="yiv4753716635yui_3_16_0_1_1443990021550_65663">And
BTW - putting
sshd on port
222 (or
anything
except 22) is
security by
obscurity -
many tools can
find standard
protocols on
non-standard
ports :-) (I
know, I wrote
one)<br clear="none">
</div>
<div id="yiv4753716635yui_3_16_0_1_1443990021550_65683"><br clear="none">
</div>
<div id="yiv4753716635yui_3_16_0_1_1443990021550_65684">The
best bet is to
not allow ssh
at all. If
that is not
feasible then
do the su or
sudo thing
and/or set up
an
intermediate
system such
that you
access a
non-privileged
account on
system A, then
ssh to system
B and system B
will ONLY
accept ssh
from system A.
Still can be
beaten but it
is a bit
harder...</div>
<div id="yiv4753716635yui_3_16_0_1_1443990021550_65685"><br clear="none">
</div>
<div id="yiv4753716635yui_3_16_0_1_1443990021550_65686">And
BTW - I have
done infosec
for about 20
years so I am
allowed to
have an
opinion on
this topic :-)<br clear="none">
</div>
<div id="yiv4753716635yui_3_16_0_1_1443990021550_65327"><span></span></div>
<div id="yiv4753716635yui_3_16_0_1_1443990021550_65326"> </div>
<div class="yiv4753716635signature" id="yiv4753716635yui_3_16_0_1_1443990021550_65291">Steven Donegan<br clear="none">
KK6IVC General
Class FCC
License<br clear="none">
Silver State
Car #86<br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="http://www.sscc.us/"></a><a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-abbreviated" target="_blank" href="http://www.sscc.us/">www.sscc.us</a></div>
<br clear="none">
<div id="yiv4753716635yui_3_16_0_1_1443990021550_65306" style="font-family:HelveticaNeue-Light, Helvetica Neue Light, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;">
<div id="yiv4753716635yui_3_16_0_1_1443990021550_65305" style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;">
<div dir="ltr" id="yiv4753716635yui_3_16_0_1_1443990021550_65304">
<hr size="1">
<font face="Arial" size="2"> <b><span style="font-weight:bold;">From:</span></b> Steve Zingman <<a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-abbreviated" ymailto="mailto:szingman@msgstor.com" target="_blank" href="mailto:szingman@msgstor.com"></a><a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-abbreviated" ymailto="mailto:szingman@msgstor.com" target="_blank" href="mailto:szingman@msgstor.com">szingman@msgstor.com</a>><br clear="none">
<b><span style="font-weight:bold;">To:</span></b>
"<a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-abbreviated" ymailto="mailto:app_rpt-users@ohnosec.org" target="_blank" href="mailto:app_rpt-users@ohnosec.org"></a><a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-abbreviated" ymailto="mailto:app_rpt-users@ohnosec.org" target="_blank" href="mailto:app_rpt-users@ohnosec.org">app_rpt-users@ohnosec.org</a>"
<<a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-abbreviated" ymailto="mailto:app_rpt-users@ohnosec.org" target="_blank" href="mailto:app_rpt-users@ohnosec.org"></a><a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-abbreviated" ymailto="mailto:app_rpt-users@ohnosec.org" target="_blank" href="mailto:app_rpt-users@ohnosec.org">app_rpt-users@ohnosec.org</a>>
<br clear="none">
<b><span style="font-weight:bold;">Sent:</span></b>
Monday,
October 5,
2015 2:24 PM<br clear="none">
<b><span style="font-weight:bold;">Subject:</span></b>
[App_rpt-users]
New Official
Allstar
Distribution
Released
(DIAL)<br clear="none">
</font> </div>
<div class="yiv4753716635y_msg_container"><br clear="none">
<div id="yiv4753716635">
<div> </div>
<div>
<pre style="white-space:pre-wrap;color:rgb(0, 0, 0);font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;widows:1;word-spacing:0px;">Dave,
Let's say I agree with you. And I well may.
On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN.
I agree is common practice to not allow it.
Now the question is why?
As John McLaughlin would say, DISCUSS!
On 10/05/2015 08:40 AM, Steve Zingman wrote:
><i> root login via SSH is now allowed
</i>
> This is a bad idea. Root should *never* be allowed to login to a system
> remotely. It's better to log in as a normal user and then become root
> via su, sudo, etc.
> - Dave
</pre>
<br clear="none">
<pre class="yiv4753716635moz-signature">--
"Anything is possible if you don't know what you are talking about."
1st Law of Logic</pre>
<div class="yiv4753716635qtdSeparateBR"><br clear="none">
<br clear="none">
</div>
<div class="yiv4753716635yqt8052708876" id="yiv4753716635yqtfd88066"> </div>
</div>
</div>
<br clear="none">
<div class="yiv4753716635yqt8052708876" id="yiv4753716635yqtfd80175">_______________________________________________<br clear="none">
App_rpt-users
mailing list<br clear="none">
<a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-abbreviated" ymailto="mailto:App_rpt-users@ohnosec.org" target="_blank" href="mailto:App_rpt-users@ohnosec.org"></a><a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-abbreviated" ymailto="mailto:App_rpt-users@ohnosec.org" target="_blank" href="mailto:App_rpt-users@ohnosec.org">App_rpt-users@ohnosec.org</a><br clear="none">
<a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-freetext" target="_blank" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users"></a><a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-freetext" target="_blank" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a><br clear="none">
<br clear="none">
To unsubscribe
from this list
please visit <a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-freetext" target="_blank" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users"></a><a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-freetext" target="_blank" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a>
and scroll
down to the
bottom of the
page. Enter
your email
address and
press the
"Unsubscribe
or edit
options
button"<br clear="none">
You do not
need a
password to
unsubscribe,
you can do it
via email
confirmation.
If you have
trouble
unsubscribing,
please send a
message to the
list detailing
the problem. </div>
<br clear="none">
<br clear="none">
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<blockquote type="cite">
<div><span>_______________________________________________</span><br clear="none">
<span>App_rpt-users
mailing list</span><br clear="none">
<span><a rel="nofollow" shape="rect" ymailto="mailto:App_rpt-users@ohnosec.org" target="_blank" href="mailto:App_rpt-users@ohnosec.org"></a><a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-abbreviated" ymailto="mailto:App_rpt-users@ohnosec.org" target="_blank" href="mailto:App_rpt-users@ohnosec.org">App_rpt-users@ohnosec.org</a></span><br clear="none">
<span><a rel="nofollow" shape="rect" target="_blank" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users"></a><a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-freetext" target="_blank" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a></span><br clear="none">
<span></span><br clear="none">
<span>To
unsubscribe from
this list please
visit <a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-freetext" target="_blank" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users"></a><a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-freetext" target="_blank" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a>
and scroll down
to the bottom of
the page. Enter
your email
address and
press the
"Unsubscribe or
edit options
button"</span><br clear="none">
<span>You do not
need a password
to unsubscribe,
you can do it
via email
confirmation. If
you have trouble
unsubscribing,
please send a
message to the
list detailing
the problem. </span></div>
</blockquote>
</div>
</div>
<br clear="none">
<br clear="none">
</div>
</div>
</div>
</div>
</div>
<pre>_______________________________________________
App_rpt-users mailing list
<a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-abbreviated" ymailto="mailto:App_rpt-users@ohnosec.org" target="_blank" href="mailto:App_rpt-users@ohnosec.org">App_rpt-users@ohnosec.org</a>
<a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-freetext" target="_blank" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a>
To unsubscribe from this list please visit <a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-freetext" target="_blank" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a> and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. </pre>
</blockquote>
<br clear="none">
</div>
</div>
<br clear="none">
<br clear="none">
</div>
</div>
</div>
</div>
<br clear="none">
<fieldset class="yiv4753716635mimeAttachmentHeader"></fieldset>
<br clear="none">
<pre>_______________________________________________
App_rpt-users mailing list
<a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-abbreviated" ymailto="mailto:App_rpt-users@ohnosec.org" target="_blank" href="mailto:App_rpt-users@ohnosec.org">App_rpt-users@ohnosec.org</a>
<a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-freetext" target="_blank" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a>
To unsubscribe from this list please visit <a rel="nofollow" shape="rect" class="yiv4753716635moz-txt-link-freetext" target="_blank" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a> and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. </pre>
</blockquote>
</div>
<br clear="none">
<pre class="yiv4753716635moz-signature">--
"Anything is possible if you don't know what you are talking about."
1st Law of Logic</pre>
</div>
</div>
<br clear="none">
<br clear="none">
</div>
</div>
</div>
</div>
</blockquote></div>
<br clear="none">
<pre class="yiv4753716635moz-signature">--
"Anything is possible if you don't know what you are talking about."
1st Law of Logic</pre>
</div></div><br><br></div> </div> </div> </div></body></html>