<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
This discussion sounds like discussions 20 years go regarding PL on
a repeater, it's too hard to solder in a pl board.<br>
<br>
Even the basic security books on Unix long before Linux discuss root
and security. Root should never be exposed to the outside world,
you also have to do as much to protect it from the inside as many
exploits come from someone getting inside user credentials. <br>
<br>
basic security says.. <br>
1) don't expose anything you don't absolutely have to<br>
2) keep your software up to date, especially the system. <br>
3) anyone running a server should be trained.<br>
<br>
Fail to ban... "just means attack slowly"<br>
exposing 22 "says please try me"<br>
putting ssh on another port simply "says scan me", scripts do this
all the time.<br>
it goes on and on.. <br>
<br>
I personally use tunnels from my machine to my server, and tunnels
are restricted not only by certificates, they are also restricted to
IP address's they can come from. Ports open to critical
applications should be run at a minimum in a chroot environment. <br>
The basic asterisk installation needs more work than just spinning
up the disk to get it securely installed. It is not possible to
logon to any one of my servers with a password. <br>
<br>
We even have developers who say if you are behind a fire wall at
your house you should be secure.. pure poppycock.. <br>
<br>
So any system that intentionally exposes root, or you can't easily
update the base system is "broken by design" kinda like Windows
stuff (not just my oppinion) <br>
<br>
The internet is not a friendly place, it was 30 years ago, but has
not been friendly for the last 25+ years ago.. anyone who just plugs
in to the internet with an unprotected server is adding to the
problem. Bad server security is worse than the worst repeater
curchunker cause the exploit is silent, you don't know it is
happening unless YOU know what you are doing, watching logs etc..
you are keeping spammers in business... <br>
<br>
Some think they are secure because the only thing their server runs
is asterisk, till someone gets root, installs a mail server, and
spams the world for years.. or they change ssh.conf and allow ssh
out, (which is open by default and should be closed on
installation) so now they are using your server or small Raspberry
Pi to attack the rest of the internet using your IP address.. it
happens all the time guys.. In fact one of the biggest security
exploits going today is getting someone to plug in a Pi from unknown
origin into someone's internal network.. read "Penetration Testing
with Raspberry Pi" by Muntz & Lakhani. Bad buys are sending out
Pi's by the hundreds to large companies, hoping someone will plug it
into the local network to see what it is.. it's then game over for
many small companies without knowledgeable sysadmins. <br>
<br>
If you don't want to learn basic security, it's your machine, it's
your problem, basic security is not hard to learn, but doesn't come
from an installation disk any more than understanding ham radio
comes from memorizing the test. Don't ask developers to keep it
easy for you just because you don't want learn basic security, if
developers do it for you, they are bad developers, shame on them.<br>
<br>
<br>
My .02 cents... with a constant internet connection since 1978..
Fred<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 10/5/15 10:36 PM, Stacy wrote:<br>
</div>
<blockquote cite="mid:561333B6.8000501@arrl.net" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Same difference. :)<br>
<br>
<br>
On 10/05/2015 07:30 PM, Loren Tedford wrote:<br>
</div>
<blockquote
cite="mid:CAK=eTygi2uR8RarcFurDi1B0rJsofAf+zgYbMT-5_5TGesSBLg@mail.gmail.com"
type="cite">
<div dir="ltr">Personally I use Fail2ban
<div><br>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div style="font-family:arial;font-size:small">Loren
Tedford (KC9ZHV) <br>
Email: <a moz-do-not-send="true"
href="mailto:lorentedford@gmail.com"
style="color:rgb(17,85,204)" target="_blank">lorentedford@gmail.com</a></div>
<div style="font-family:arial;font-size:small">Main
Line:1-631-686-8878 Option 1 for Loren.</div>
<div style="font-family:arial;font-size:small">Fax
Line 1:1-618-551-2755</div>
<div style="font-family:arial;font-size:small">Fax
Line 2:1-631-686-8892 (New Fax line)</div>
<div><font face="arial" size="2">Cell:
618-553-0806</font><br>
</div>
<div style="font-family:arial;font-size:small"><a
moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://www.lorentedford.com"><a class="moz-txt-link-freetext" href="http://www.lorentedford.com">http://www.lorentedford.com</a></a></div>
<div style="font-family:arial;font-size:small"><a
moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://www.kc9zhv.com"><a class="moz-txt-link-freetext" href="http://www.kc9zhv.com">http://www.kc9zhv.com</a></a></div>
<div style="font-family:arial;font-size:small"><a
moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://hub.kc9zhv.com"><a class="moz-txt-link-freetext" href="http://hub.kc9zhv.com">http://hub.kc9zhv.com</a></a></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Mon, Oct 5, 2015 at 9:06 PM, Stacy
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:kg7qin@arrl.net" target="_blank">kg7qin@arrl.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Certificates, two-factor authentication and
something like ssh-guard set to block on the first
three attempts with a really really long block
threshold. <br>
<span class="HOEnZb"><font color="#888888"> <br>
Stacy<br>
KG7QIN</font></span>
<div>
<div class="h5"><br>
<br>
On 10/05/2015 02:57 PM, Steven Donegan wrote:<br>
</div>
</div>
</div>
<div>
<div class="h5">
<blockquote type="cite">
<div
style="color:#000;background-color:#fff;font-family:HelveticaNeue-Light,Helvetica
Neue Light,Helvetica Neue,Helvetica,Arial,Lucida
Grande,sans-serif;font-size:16px">Using
certificates for ssh is yet another method :-) <br>
<div><span></span></div>
<div> </div>
<div>Steven Donegan<br>
KK6IVC General Class FCC License<br>
Silver State Car #86<br>
<a moz-do-not-send="true"
href="http://www.sscc.us" target="_blank">www.sscc.us</a></div>
<br>
<div
style="font-family:HelveticaNeue-Light,Helvetica
Neue Light,Helvetica
Neue,Helvetica,Arial,Lucida
Grande,sans-serif;font-size:16px">
<div
style="font-family:HelveticaNeue,Helvetica
Neue,Helvetica,Arial,Lucida
Grande,sans-serif;font-size:16px">
<div dir="ltr">
<hr size="1"> <font face="Arial" size="2">
<b><span style="font-weight:bold">From:</span></b>
Bryan D. Boyle <a
moz-do-not-send="true"
href="mailto:bdboyle@bdboyle.com"
target="_blank"><a class="moz-txt-link-rfc2396E" href="mailto:bdboyle@bdboyle.com"><bdboyle@bdboyle.com></a></a><br>
<b><span style="font-weight:bold">To:</span></b>
Steven Donegan <a
moz-do-not-send="true"
href="mailto:donegan@donegan.org"
target="_blank"><a class="moz-txt-link-rfc2396E" href="mailto:donegan@donegan.org"><donegan@donegan.org></a></a>
<br>
<b><span style="font-weight:bold">Cc:</span></b>
Steve Zingman <a moz-do-not-send="true"
href="mailto:szingman@msgstor.com"
target="_blank"><szingman@msgstor.com></a>;
<a moz-do-not-send="true"
href="mailto:app_rpt-users@ohnosec.org"
target="_blank">"app_rpt-users@ohnosec.org"</a>
<a moz-do-not-send="true"
href="mailto:app_rpt-users@ohnosec.org"
target="_blank"><app_rpt-users@ohnosec.org></a>
<br>
<b><span style="font-weight:bold">Sent:</span></b>
Monday, October 5, 2015 2:49 PM<br>
<b><span style="font-weight:bold">Subject:</span></b>
Re: [App_rpt-users] New Official Allstar
Distribution Released (DIAL)<br>
</font> </div>
<div><br>
<div>
<div>
<div>Using a jump box as you describe
is one way...not allowing SSH from
the outside adds a layer; setting up
a secue VDI capability to the
jumpbox over a vpn is yet a third
way...;). </div>
<div><br clear="none">
</div>
<div>my rule: if it's exposed to the
net, it's potentially vulnerable.
Just turn on your SIP port and pop
some popcorn to see...;)<br
clear="none">
<br clear="none">
--
<div>Bryan</div>
<div>Sent from my iPhone 5.<span
style="font-size:13pt">..No
electrons were harmed in the
sending of this message.</span></div>
<div><br clear="none">
<div><br clear="none">
</div>
</div>
</div>
<div><br>
<br>
</div>
<div>
<div><br clear="none">
On Oct 5, 2015, at 17:39, Steven
Donegan <<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:donegan@donegan.org"><a class="moz-txt-link-abbreviated" href="mailto:donegan@donegan.org">donegan@donegan.org</a></a>> wrote:<br
clear="none">
<br clear="none">
</div>
<blockquote type="cite">
<div>
<div
style="color:#000;background-color:#fff;font-family:HelveticaNeue-Light,Helvetica
Neue Light,Helvetica
Neue,Helvetica,Arial,Lucida
Grande,sans-serif;font-size:16px">
<div>Direct root login being
disallowed IF there were no
other way to get full root
privileges (not the case
here) was considered best
practice. However in almost
every case there is a user
(on Raspbian user pi) that
can simply login, sudo -s
and do whatever they want.
Yes it puts up a small
hurdle but I don't see it as
a serious one.</div>
<div><br clear="none">
</div>
<div>In short, there is almost
no setup that will allow you
to completely lock out root
with the exception of a few
well designed appliances.
And that means someone is
out there doing support to
get things resolved. This
system is not of that flavor
and root is necessary for
many things so frankly
adding a hurdle or two
really doesn't appreciably
make the system more secure.</div>
<div><br clear="none">
</div>
<div>Require a long pass
phrase (say 20 mixed
characters or so) and this
whole thing is moot...</div>
<div><br clear="none">
</div>
<div>And BTW - putting sshd on
port 222 (or anything except
22) is security by obscurity
- many tools can find
standard protocols on
non-standard ports :-) (I
know, I wrote one)<br
clear="none">
</div>
<div><br clear="none">
</div>
<div>The best bet is to not
allow ssh at all. If that is
not feasible then do the su
or sudo thing and/or set up
an intermediate system such
that you access a
non-privileged account on
system A, then ssh to system
B and system B will ONLY
accept ssh from system A.
Still can be beaten but it
is a bit harder...</div>
<div><br clear="none">
</div>
<div>And BTW - I have done
infosec for about 20 years
so I am allowed to have an
opinion on this topic :-)<br
clear="none">
</div>
<div><span></span></div>
<div> </div>
<div>Steven Donegan<br
clear="none">
KK6IVC General Class FCC
License<br clear="none">
Silver State Car #86<br
clear="none">
<a moz-do-not-send="true"
rel="nofollow"
shape="rect"
href="http://www.sscc.us/"
target="_blank">www.sscc.us</a></div>
<br clear="none">
<div
style="font-family:HelveticaNeue-Light,Helvetica
Neue Light,Helvetica
Neue,Helvetica,Arial,Lucida
Grande,sans-serif;font-size:16px">
<div
style="font-family:HelveticaNeue,Helvetica
Neue,Helvetica,Arial,Lucida
Grande,sans-serif;font-size:16px">
<div dir="ltr">
<hr size="1"> <font
face="Arial" size="2">
<b><span
style="font-weight:bold">From:</span></b>
Steve Zingman <<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated" href="mailto:szingman@msgstor.com"><a class="moz-txt-link-abbreviated" href="mailto:szingman@msgstor.com">szingman@msgstor.com</a></a>><br
clear="none">
<b><span
style="font-weight:bold">To:</span></b>
"<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated" href="mailto:app_rpt-users@ohnosec.org"><a class="moz-txt-link-abbreviated" href="mailto:app_rpt-users@ohnosec.org">app_rpt-users@ohnosec.org</a></a>"
<<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated" href="mailto:app_rpt-users@ohnosec.org"><a class="moz-txt-link-abbreviated" href="mailto:app_rpt-users@ohnosec.org">app_rpt-users@ohnosec.org</a></a>>
<br clear="none">
<b><span
style="font-weight:bold">Sent:</span></b>
Monday, October 5,
2015 2:24 PM<br
clear="none">
<b><span
style="font-weight:bold">Subject:</span></b>
[App_rpt-users] New
Official Allstar
Distribution Released
(DIAL)<br clear="none">
</font> </div>
<div><br clear="none">
<div>
<div> </div>
<div>
<pre style="white-space:pre-wrap;color:rgb(0,0,0);font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;word-spacing:0px">Dave,
Let's say I agree with you. And I well may.
On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN.
I agree is common practice to not allow it.
Now the question is why?
As John McLaughlin would say, DISCUSS!
On 10/05/2015 08:40 AM, Steve Zingman wrote:
><i> root login via SSH is now allowed
</i>
> This is a bad idea. Root should *never* be allowed to login to a system
> remotely. It's better to log in as a normal user and then become root
> via su, sudo, etc.
> - Dave
</pre>
<br clear="none">
<pre>--
"Anything is possible if you don't know what you are talking about."
1st Law of Logic</pre>
<div><br
clear="none">
<br clear="none">
</div>
<div> </div>
</div>
</div>
<br clear="none">
<div>_______________________________________________<br
clear="none">
App_rpt-users mailing
list<br clear="none">
<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated" href="mailto:App_rpt-users@ohnosec.org"><a class="moz-txt-link-abbreviated" href="mailto:App_rpt-users@ohnosec.org">App_rpt-users@ohnosec.org</a></a><br
clear="none">
<a
moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users"><a class="moz-txt-link-freetext" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a></a><br
clear="none">
<br clear="none">
To unsubscribe from
this list please visit
<a
moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users"><a class="moz-txt-link-freetext" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a></a>
and scroll down to the
bottom of the page.
Enter your email
address and press the
"Unsubscribe or edit
options button"<br
clear="none">
You do not need a
password to
unsubscribe, you can
do it via email
confirmation. If you
have trouble
unsubscribing, please
send a message to the
list detailing the
problem. </div>
<br clear="none">
<br clear="none">
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<blockquote type="cite">
<div><span>_______________________________________________</span><br
clear="none">
<span>App_rpt-users mailing list</span><br
clear="none">
<span><a moz-do-not-send="true"
rel="nofollow" shape="rect"
href="mailto:App_rpt-users@ohnosec.org"
target="_blank">App_rpt-users@ohnosec.org</a></span><br
clear="none">
<span><a moz-do-not-send="true"
rel="nofollow" shape="rect"
href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users"
target="_blank">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a></span><br
clear="none">
<span></span><br clear="none">
<span>To unsubscribe from this
list please visit <a
moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users"><a class="moz-txt-link-freetext" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a></a>
and scroll down to the bottom of
the page. Enter your email
address and press the
"Unsubscribe or edit options
button"</span><br clear="none">
<span>You do not need a password
to unsubscribe, you can do it
via email confirmation. If you
have trouble unsubscribing,
please send a message to the
list detailing the problem. </span></div>
</blockquote>
</div>
</div>
<br>
<br>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
App_rpt-users mailing list
<a moz-do-not-send="true" href="mailto:App_rpt-users@ohnosec.org" target="_blank">App_rpt-users@ohnosec.org</a>
<a moz-do-not-send="true" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users" target="_blank">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a>
To unsubscribe from this list please visit <a moz-do-not-send="true" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users" target="_blank">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a> and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. </pre>
</blockquote>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
App_rpt-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:App_rpt-users@ohnosec.org">App_rpt-users@ohnosec.org</a><br>
<a moz-do-not-send="true"
href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users"
rel="noreferrer" target="_blank">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a><br>
<br>
To unsubscribe from this list please visit <a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users"><a class="moz-txt-link-freetext" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a></a>
and scroll down to the bottom of the page. Enter your
email address and press the "Unsubscribe or edit options
button"<br>
You do not need a password to unsubscribe, you can do it
via email confirmation. If you have trouble unsubscribing,
please send a message to the list detailing the problem. <br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
-- <br>
This message has been scanned for viruses and
<br>
dangerous content by
<a moz-do-not-send="true" href="http://www.mailscanner.info/"><b>MailScanner</b></a>,
and is
<br>
believed to be clean.
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
App_rpt-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:App_rpt-users@ohnosec.org">App_rpt-users@ohnosec.org</a>
<a class="moz-txt-link-freetext" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a>
To unsubscribe from this list please visit <a class="moz-txt-link-freetext" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a> and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. </pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Fred Moore
email: <a class="moz-txt-link-abbreviated" href="mailto:fred@fmeco.com">fred@fmeco.com</a>
<a class="moz-txt-link-abbreviated" href="mailto:fred@safes.com">fred@safes.com</a>
phone: 321-217-8699
</pre>
</body>
</html>