New Official Allstar Distribution Released

On 10/5/15 4:56 PM, David Andrzejewski
wrote:

This is a bad idea. Root should be allowed to login to a system remotely. It's better to log in as a normal user and then become root via su, sudo, etc.

-- Bryan Fields
727-409-1194 - Voice
727-214-2508 - Fax

never**http://bryanfields.net

On 10/5/2015 6:17 PM, Bryan Fields
wrote:

  meh, it's more of a local policy thing.  I'd prefer it's not

enabled by default, but there are some reasons I could see for
enabling it.

    On 10/5/15 4:56 PM, David AIf I can

throw inndrzejewski wrote:

This is a bad idea. Root should be allowed to login to a system remotely. It's better to log in as a normal user and then become root via su, sudo, etc.

never**

-- Bryan Fields
727-409-1194 - Voice
727-214-2508 - Fax

http://bryanfields.net

_______________________________________________
App_rpt-users mailing list
To unsubscribe from this list please visit and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

App_rpt-users@ohnosec.orghttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-usershttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

www.sscc.usbdboyle@bdboyle.com
To:donegan@donegan.org
Cc:szingman@msgstor.com"app_rpt-users@ohnosec.org"app_rpt-users@ohnosec.org
Sent:
Subject:
App_rpt-users@ohnosec.orghttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-usershttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

From: David Andrzejewski david@davidandrzejewski.com
To: Steven Donegan donegan@donegan.org
Cc: Bryan D. Boyle bdboyle@bdboyle.com; “app_rpt-users@ohnosec.org” app_rpt-users@ohnosec.org
Sent: Monday, October 5, 2015 3:50 PM
Subject: Re: [App_rpt-users] New Official Allstar Distribution Released (DIAL)

Yep - disallowing keyboard-interactive and accepting only certificates. I turn off PermitRootLogin and only allow certificates. Barring some kind of exploit in sshd, that ought to be secure enough.

Steven Donegan wrote:

Using certificates for ssh is yet another method

Steven Donegan
KK6IVC
General Class FCC License
Silver State Car #86
www.sscc.us

---

From: Bryan D. Boyle bdboyle@bdboyle.com
To:
Steven Donegan donegan@donegan.org
Cc: Steve Zingman szingman@msgstor.com; “app_rpt-users@ohnosec.org”
app_rpt-users@ohnosec.org
Sent: Monday, October 5, 2015 2:49 PM
Subject: Re: [App_rpt-users] New Official Allstar Distribution Released (DIAL)

Using a jump box as you describe is one way…not allowing SSH from the outside adds a layer; setting up a
secue VDI capability to the jumpbox over a vpn is yet a third way…;).

my rule: if
it’s exposed to the net, it’s potentially vulnerable. Just turn on your SIP port and pop some popcorn to see…

–
Bryan

Sent from my iPhone 5…No electrons were harmed in the sending of this message.

On Oct 5, 2015, at 17:39, Steven Donegan donegan@donegan.org wrote:

Direct root login being disallowed IF there were no other way to get full root privileges (not the case here) was considered best practice. However in almost every case there is a user (on Raspbian user pi) that can simply login, sudo -s and do whatever they want. Yes it puts up a small hurdle but I don’t see it as a serious one.

In short, there is almost no setup that will allow you to completely lock out root with the
exception of a few well designed appliances. And that means someone is out there doing support to get things resolved. This system is not of that flavor and root is necessary for many things so frankly adding a hurdle or two really doesn’t appreciably make the system more secure.

Require a long pass phrase (say 20 mixed characters or so) and this whole thing is moot…

And BTW - putting sshd on port 222 (or anything except 22) is security by obscurity - many
tools can find standard protocols on non-standard ports (I know, I wrote one)

The best bet is to not allow ssh at all. If that is not feasible then do the su or sudo thing and/or set up an intermediate system such that you access a non-privileged account on system A, then ssh to system B and system B will ONLY accept ssh from system A. Still can be beaten but it is a bit harder…

And BTW - I have done
infosec for about 20 years so I am allowed to have an opinion on this topic

Steven Donegan
KK6IVC General Class FCC License
Silver State Car #86
www.sscc.us

---

From:
Steve Zingman szingman@msgstor.com
To: “app_rpt-users@ohnosec.org” <app_rpt-users@ohnosec.org >
Sent:
Monday, October 5, 2015 2:24 PM
Subject: [App_rpt-users] New Official Allstar Distribution Released (DIAL)

Dave,
Let's say I agree with you. And I well may.
On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN. I agree is common practice to not allow it.
Now the question is why?
As John McLaughlin would say, DISCUSS!
On 10/05/2015 08:40 AM, Steve Zingman wrote:
> *root login via SSH is now allowed*
> This is a bad idea. Root should *never* be allowed to login to a system > remotely. It's better to log in as a normal user and then become root > via su, sudo, etc.
> - Dave

-- "Anything is possible if you don't know what you are talking about."
1st Law of Logic

---

App_rpt-users mailing list
App_rpt-users@ohnosec.org
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
and scroll down to the bottom of the page. Enter your email address
and press the “Unsubscribe or edit options button”
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

---

App_rpt-users mailing list
App_rpt-users@ohnosec.org
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
and scroll down to the bottom of the page. Enter your email address and
press the “Unsubscribe or edit options button”
You
do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

_______________________________________________
App_rpt-users mailing list
App_rpt-users@ohnosec.org
[http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)

To unsubscribe from this list please visit [http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users) and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

On 10/05/2015 06:55 PM, Steven Donegan
wrote:

    BTW - I have a script to make a *NIX

box a CA and generate certificates - that could easily be added
to the DIAL/Pi/etc releases - let me see if I can scrounge it up
Assuming anyone would want that ability and Steve is OK with
it

�

      Steven

Donegan

      KK6IVC General Class FCC License

      Silver State Car #86

---

From:
David Andrzejewski Steven Donegan Bryan
D. Boyle ;
Monday, October 5, 2015 3:50 PM
Re:
[App_rpt-users] New Official Allstar Distribution
Released (DIAL)

              Yep -

disallowing keyboard-interactive and accepting only
certificates.� I turn off PermitRootLogin and only
allow certificates.� Barring some kind of exploit in
sshd, that ought to be secure enough.

              Steven Donegan wrote:

                    Using certificates

for ssh is yet another method

�

                      Steven

Donegan

                      KK6IVC General Class FCC License

                      Silver State Car #86

                      [www.sscc.us](http://www.sscc.us/)

---

                            **From:**
                            Bryan D. Boyle

                            Steven Donegan Steve Zingman ;

Monday, October 5, 2015 2:49 PM
Re: [App_rpt-users] New Official Allstar
Distribution Released (DIAL)

                                Using

a jump box as you describe is one
way…not allowing SSH from the
outside adds a layer; setting up a
secue VDI capability to the jumpbox
over a vpn is yet a third way…;).�

                                my

rule: if it’s exposed to the net,
it’s potentially vulnerable. �Just
turn on your SIP port and pop some
popcorn to see…

                                --

Bryan

Sent from my iPhone 5. …No
electrons were harmed in the
sending of this message.

                                  On Oct 5, 2015, at 17:39, Steven

Donegan < >
wrote:

                                        Direct

root login being disallowed
IF there were no other way
to get full root privileges
(not the case here) was
considered best practice.
However in almost every case
there is a user (on Raspbian
user pi) that can simply
login, sudo -s and do
whatever they want. Yes it
puts up a small hurdle but I
don’t see it as a serious
one.

                                        In

short, there is almost no
setup that will allow you to
completely lock out root
with the exception of a few
well designed appliances.
And that means someone is
out there doing support to
get things resolved. This
system is not of that flavor
and root is necessary for
many things so frankly
adding a hurdle or two
really doesn’t appreciably
make the system more secure.

                                        Require

a long pass phrase (say 20
mixed characters or so) and
this whole thing is moot…

                                        And

BTW - putting sshd on port
222 (or anything except 22)
is security by obscurity -
many tools can find standard
protocols on non-standard
ports (I know, I wrote
one)

                                        The

best bet is to not allow ssh
at all. If that is not
feasible then do the su or
sudo thing and/or set up an
intermediate system such
that you access a
non-privileged account on
system A, then ssh to system
B and system B will ONLY
accept ssh from system A.
Still can be beaten but it
is a bit harder…

                                        And

BTW - I have done infosec
for about 20 years so I am
allowed to have an opinion
on this topic

�

Steven Donegan

                                        KK6IVC General Class FCC

License

                                        Silver State Car #86

                                        [www.sscc.us](http://www.sscc.us/)

---

                                              **From:**
                                              Steve Zingman <
                                              >

“”
<>
Monday, October 5,
2015 2:24 PM
[App_rpt-users] New
Official Allstar
Distribution Released
(DIAL)

Dave,
Let's say I agree with you. And I well may.
On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN. I agree is common practice to not allow it.
Now the question is why?
As John McLaughlin would say, DISCUSS!
On 10/05/2015 08:40 AM, Steve Zingman wrote:
> *root login via SSH is now allowed*
> This is a bad idea. Root should *never* be allowed to login to a system > remotely. It's better to log in as a normal user and then become root > via su, sudo, etc.
> - Dave

-- "Anything is possible if you don't know what you are talking about."
1st Law of Logic

---

                                              App_rpt-users mailing

list

                                              To unsubscribe from

this list please visit
and scroll down to
the bottom of the
page. Enter your email
address and press the
“Unsubscribe or edit
options button”
You do not need a
password to
unsubscribe, you can
do it via email
confirmation. If you
have trouble
unsubscribing, please
send a message to the
list detailing the
problem.

---

                                  App_rpt-users mailing list

                                  App_rpt-users@ohnosec.org

                                  [http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)



                                                                          To unsubscribe from this

list please visit
and scroll down to the bottom of
the page. Enter your email
address and press the
“Unsubscribe or edit options
button”

                                                                          You do not need a password

to unsubscribe, you can do it
via email confirmation. If you
have trouble unsubscribing,
please send a message to the
list detailing the problem.

_______________________________________________
App_rpt-users mailing list
App_rpt-users@ohnosec.org
[http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)

To unsubscribe from this list please visit [http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users) and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

_______________________________________________
App_rpt-users mailing list
To unsubscribe from this list please visit and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

-- "Anything is possible if you don't know what you are talking about."
1st Law of Logic

www.sscc.usdavid@davidandrzejewski.com
To:donegan@donegan.org
Cc:bdboyle@bdboyle.com"app_rpt-users@ohnosec.org"app_rpt-users@ohnosec.org
Sent:
Subject:
bdboyle@bdboyle.com
To:donegan@donegan.org
Cc:szingman@msgstor.com"app_rpt-users@ohnosec.org"app_rpt-users@ohnosec.org
Sent:
Subject:
donegan@donegan.org
szingman@msgstor.com
**To:**app_rpt-users@ohnosec.orgapp_rpt-users@ohnosec.org
Sent:
Subject:
App_rpt-users@ohnosec.org
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-usersApp_rpt-users@ohnosec.orghttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-usershttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

On 10/05/2015 06:55 PM, Steven
Donegan wrote:

      BTW - I have a script to make a

*NIX box a CA and generate certificates - that could easily be
added to the DIAL/Pi/etc releases - let me see if I can
scrounge it up Assuming anyone would want that ability and
Steve is OK with it

        Steven

Donegan

        KK6IVC General Class FCC License

        Silver State Car #86

---

From:
David Andrzejewski Steven Donegan Bryan D. Boyle ;
Monday, October 5, 2015 3:50 PM
Re:
[App_rpt-users] New Official Allstar Distribution
Released (DIAL)

                Yep -

disallowing keyboard-interactive and accepting only
certificates. I turn off PermitRootLogin and only
allow certificates. Barring some kind of exploit in
sshd, that ought to be secure enough.

                Steven Donegan wrote:

                      Using certificates

for ssh is yet another method

                        Steven

Donegan

                        KK6IVC General Class FCC License

                        Silver State Car #86

                        [www.sscc.us](http://www.sscc.us/)

---

From:
Bryan D. Boyle Steven Donegan Steve Zingman ;
Monday, October 5, 2015 2:49 PM
Re: [App_rpt-users] New Official
Allstar Distribution Released (DIAL)

                                  Using

a jump box as you describe is one
way…not allowing SSH from the
outside adds a layer; setting up a
secue VDI capability to the
jumpbox over a vpn is yet a third
way…;).

                                  my

rule: if it’s exposed to the net,
it’s potentially vulnerable. Just
turn on your SIP port and pop some
popcorn to see…

                                  --

Bryan

Sent from my iPhone 5. …No
electrons were harmed in the
sending of this message.

                                    On Oct 5, 2015, at 17:39, Steven

Donegan <> wrote:

                                          Direct

root login being
disallowed IF there were
no other way to get full
root privileges (not the
case here) was considered
best practice. However in
almost every case there is
a user (on Raspbian user
pi) that can simply login,
sudo -s and do whatever
they want. Yes it puts up
a small hurdle but I don’t
see it as a serious one.

                                          In

short, there is almost no
setup that will allow you
to completely lock out
root with the exception of
a few well designed
appliances. And that means
someone is out there doing
support to get things
resolved. This system is
not of that flavor and
root is necessary for many
things so frankly adding a
hurdle or two really
doesn’t appreciably make
the system more secure.

                                          Require

a long pass phrase (say 20
mixed characters or so)
and this whole thing is
moot…

                                          And

BTW - putting sshd on port
222 (or anything except
22) is security by
obscurity - many tools can
find standard protocols on
non-standard ports (I
know, I wrote one)

                                          The

best bet is to not allow
ssh at all. If that is not
feasible then do the su or
sudo thing and/or set up
an intermediate system
such that you access a
non-privileged account on
system A, then ssh to
system B and system B will
ONLY accept ssh from
system A. Still can be
beaten but it is a bit
harder…

                                          And

BTW - I have done infosec
for about 20 years so I am
allowed to have an opinion
on this topic

Steven Donegan

                                          KK6IVC General Class FCC

License

                                          Silver State Car #86

                                          [www.sscc.us](http://www.sscc.us/)

---

From: Steve Zingman <>
“”
<>
Monday, October 5,
2015 2:24 PM
[App_rpt-users] New
Official Allstar
Distribution
Released (DIAL)

Dave,
Let's say I agree with you. And I well may.
On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN. I agree is common practice to not allow it.
Now the question is why?
As John McLaughlin would say, DISCUSS!
On 10/05/2015 08:40 AM, Steve Zingman wrote:
> *root login via SSH is now allowed*
> This is a bad idea. Root should *never* be allowed to login to a system > remotely. It's better to log in as a normal user and then become root > via su, sudo, etc.
> - Dave

-- "Anything is possible if you don't know what you are talking about."
1st Law of Logic

---

                                                App_rpt-users

mailing list

                                                To unsubscribe from

this list please
visit and scroll down to
the bottom of the
page. Enter your
email address and
press the
“Unsubscribe or edit
options button”
You do not need a
password to
unsubscribe, you can
do it via email
confirmation. If you
have trouble
unsubscribing,
please send a
message to the list
detailing the
problem.

---

                                    App_rpt-users mailing list

                                    App_rpt-users@ohnosec.org

                                    [http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)



                                                                              To unsubscribe from this

list please visit and scroll down to the bottom
of the page. Enter your email
address and press the
“Unsubscribe or edit options
button”

                                                                              You do not need a password

to unsubscribe, you can do it
via email confirmation. If you
have trouble unsubscribing,
please send a message to the
list detailing the problem.

_______________________________________________
App_rpt-users mailing list
App_rpt-users@ohnosec.org
[http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)

To unsubscribe from this list please visit [http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users) and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

_______________________________________________
App_rpt-users mailing list
To unsubscribe from this list please visit and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

www.sscc.usdavid@davidandrzejewski.com
To:donegan@donegan.org
Cc:bdboyle@bdboyle.com"app_rpt-users@ohnosec.org"app_rpt-users@ohnosec.org
Sent:
Subject:
bdboyle@bdboyle.com
To:donegan@donegan.org
Cc:szingman@msgstor.com"app_rpt-users@ohnosec.org"app_rpt-users@ohnosec.org
Sent:
Subject:
donegan@donegan.org
szingman@msgstor.com
**To:**app_rpt-users@ohnosec.orgapp_rpt-users@ohnosec.org
Sent:
Subject:
App_rpt-users@ohnosec.org
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-usersApp_rpt-users@ohnosec.orghttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-usershttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

-- "Anything is possible if you don't know what you are talking about."
1st Law of Logic

_______________________________________________
App_rpt-users mailing list
To unsubscribe from this list please visit and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

App_rpt-users@ohnosec.orghttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-usershttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

From: Steve Zingman szingman@msgstor.com
To: Steven Donegan donegan@donegan.org; David Andrzejewski david@davidandrzejewski.com
Cc: “app_rpt-users@ohnosec.org” app_rpt-users@ohnosec.org
Sent: Monday, October 5, 2015 4:04 PM
Subject: Re: [App_rpt-users] New Official Allstar Distribution Released (DIAL)

Sure,

I think a hardening script might be in order (and optional).

  On 10/05/2015 06:55 PM, Steven Donegan wrote:

    BTW - I have a script to make a *NIX

box a CA and generate certificates - that could easily be added
to the DIAL/Pi/etc releases - let me see if I can scrounge it up
Assuming anyone would want that ability and Steve is OK with
it

      Steven

Donegan

      KK6IVC General Class FCC License

      Silver State Car #86

      [www.sscc.us](http://www.sscc.us/)

---

From:
David Andrzejewski david@davidandrzejewski.com
To:
Steven Donegan donegan@donegan.org
Cc: Bryan
D. Boyle bdboyle@bdboyle.com ;
“app_rpt-users@ohnosec.org”
app_rpt-users@ohnosec.org
Sent:
Monday, October 5, 2015 3:50 PM
Subject: Re:
[App_rpt-users] New Official Allstar Distribution
Released (DIAL)

              Yep -

disallowing keyboard-interactive and accepting only
certificates. I turn off PermitRootLogin and only
allow certificates. Barring some kind of exploit in
sshd, that ought to be secure enough.

              Steven Donegan wrote:

                    Using certificates

for ssh is yet another method

                      Steven

Donegan

                      KK6IVC General Class FCC License

                      Silver State Car #86

                      [www.sscc.us](http://www.sscc.us/)

---

                            **From:**
                            Bryan D. Boyle <bdboyle@bdboyle.com>
                            **To:**
                            Steven Donegan <donegan@donegan.org>

                            **Cc:**
                            Steve Zingman <szingman@msgstor.com>                                ;

“app_rpt-users@ohnosec.org”
app_rpt-users@ohnosec.org

                            **Sent:**
                            Monday, October 5, 2015 2:49 PM
                            **Subject:**
                            Re: [App_rpt-users] New Official Allstar

Distribution Released (DIAL)

                                Using

a jump box as you describe is one
way…not allowing SSH from the
outside adds a layer; setting up a
secue VDI capability to the jumpbox
over a vpn is yet a third way…;).

                                my

rule: if it’s exposed to the net,
it’s potentially vulnerable. Just
turn on your SIP port and pop some
popcorn to see…

                                --

Bryan

Sent from my iPhone 5. …No
electrons were harmed in the
sending of this message.

                                  On Oct 5, 2015, at 17:39, Steven > > Donegan <donegan@donegan.org                                      > > > wrote:

                                        Direct

root login being disallowed
IF there were no other way
to get full root privileges
(not the case here) was
considered best practice.
However in almost every case
there is a user (on Raspbian
user pi) that can simply
login, sudo -s and do
whatever they want. Yes it
puts up a small hurdle but I
don’t see it as a serious
one.

                                        In

short, there is almost no
setup that will allow you to
completely lock out root
with the exception of a few
well designed appliances.
And that means someone is
out there doing support to
get things resolved. This
system is not of that flavor
and root is necessary for
many things so frankly
adding a hurdle or two
really doesn’t appreciably
make the system more secure.

                                        Require

a long pass phrase (say 20
mixed characters or so) and
this whole thing is moot…

                                        And

BTW - putting sshd on port
222 (or anything except 22)
is security by obscurity -
many tools can find standard
protocols on non-standard
ports (I know, I wrote
one)

                                        The

best bet is to not allow ssh
at all. If that is not
feasible then do the su or
sudo thing and/or set up an
intermediate system such
that you access a
non-privileged account on
system A, then ssh to system
B and system B will ONLY
accept ssh from system A.
Still can be beaten but it
is a bit harder…

                                        And

BTW - I have done infosec
for about 20 years so I am
allowed to have an opinion
on this topic

Steven Donegan

                                        KK6IVC General Class FCC

License

                                        Silver State Car #86

                                        [www.sscc.us](http://www.sscc.us/)

---

                                              **From:**
                                              Steve Zingman <szingman@msgstor.com>
                                              **To:**
                                              "app_rpt-users@ohnosec.org                                                  "

<app_rpt-users@ohnosec.org
>
Sent:
Monday, October 5,
2015 2:24 PM
Subject:
[App_rpt-users] New
Official Allstar
Distribution Released
(DIAL)

Dave,
Let's say I agree with you. And I well may.
On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN. I agree is common practice to not allow it.
Now the question is why?
As John McLaughlin would say, DISCUSS!
On 10/05/2015 08:40 AM, Steve Zingman wrote:
> *root login via SSH is now allowed*
> This is a bad idea. Root should *never* be allowed to login to a system > remotely. It's better to log in as a normal user and then become root > via su, sudo, etc.
> - Dave

-- "Anything is possible if you don't know what you are talking about."
1st Law of Logic

---

                                              App_rpt-users mailing

list

                                              App_rpt-users@ohnosec.org

                                              [](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)[http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)



                                              To unsubscribe from

this list please visit
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

                                              and scroll down to

the bottom of the
page. Enter your email
address and press the
“Unsubscribe or edit
options button”

                                              You do not need a

password to
unsubscribe, you can
do it via email
confirmation. If you
have trouble
unsubscribing, please
send a message to the
list detailing the
problem.

---

                                  App_rpt-users mailing list

                                  App_rpt-users@ohnosec.org

                                  [http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)



                                                                          To unsubscribe from this

list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
and scroll down to the bottom of
the page. Enter your email
address and press the
“Unsubscribe or edit options
button”

                                                                          You do not need a password

to unsubscribe, you can do it
via email confirmation. If you
have trouble unsubscribing,
please send a message to the
list detailing the problem.

_______________________________________________
App_rpt-users mailing list
App_rpt-users@ohnosec.org
[http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)

To unsubscribe from this list please visit [http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users) and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

_______________________________________________
App_rpt-users mailing list
App_rpt-users@ohnosec.org
[http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)

To unsubscribe from this list please visit [http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users) and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

-- "Anything is possible if you don't know what you are talking about."
1st Law of Logic

On 10/05/2015 07:15 PM, Steven Donegan
wrote:

      Let me spin

up one of the DIAL setups - may take me a day - then see what
is enabled by default and hardening will be ‘easy’ (no
processes/ports active not absolutely required). Adding the CA
stuff will be easy as well if desired. Whatever the overall
direction is I can do security stuff

      Steven

Donegan

      KK6IVC General Class FCC License

      Silver State Car #86

---

From: Steve
Zingman Steven Donegan ; David
Andrzejewski Monday, October 5, 2015 4:04 PM
Re: [App_rpt-users] New Official Allstar Distribution
Released (DIAL)

Sure,

              I think a hardening script might be in order (and

optional).

                  On

10/05/2015 06:55 PM, Steven Donegan wrote:

                    BTW - I have a

script to make a *NIX box a CA and generate
certificates - that could easily be added to the
DIAL/Pi/etc releases - let me see if I can
scrounge it up Assuming anyone would want
that ability and Steve is OK with it

                      Steven

Donegan

                      KK6IVC General Class FCC License

                      Silver State Car #86

                      [www.sscc.us](http://www.sscc.us/)

---

From:
David Andrzejewski

                            Steven Donegan Bryan D. Boyle ;

Monday, October 5, 2015 3:50 PM
Re: [App_rpt-users] New Official Allstar
Distribution Released (DIAL)

                              Yep

• disallowing keyboard-interactive and
  accepting only certificates. I turn
  off PermitRootLogin and only allow
  certificates. Barring some kind of
  exploit in sshd, that ought to be
  secure enough.

                              Steven Donegan wrote:
  

                                    Using

certificates for ssh is yet
another method

Steven Donegan

                                      KK6IVC General Class FCC

License

                                      Silver State Car #86

                                      [www.sscc.us](http://www.sscc.us/)

---

From: Bryan D. Boyle

                                            Steven Donegan Steve Zingman ;

Monday, October 5, 2015
2:49 PM
Re: [App_rpt-users] New
Official Allstar
Distribution Released
(DIAL)

                                                Using

a jump box as you
describe is one
way…not allowing
SSH from the outside
adds a layer;
setting up a secue
VDI capability to
the jumpbox over a
vpn is yet a third
way…;).

                                                my

rule: if it’s
exposed to the net,
it’s potentially
vulnerable. Just
turn on your SIP
port and pop some
popcorn to see…

                                                --

Bryan

                                                  Sent from my

iPhone 5.
…No
electrons were
harmed in the
sending of this
message.

                                                  On Oct 5, 2015, at

17:39, Steven
Donegan <
>
wrote:

                                                      Direct

root login
being
disallowed IF
there were no
other way to
get full root
privileges
(not the case
here) was
considered
best practice.
However in
almost every
case there is
a user (on
Raspbian user
pi) that can
simply login,
sudo -s and do
whatever they
want. Yes it
puts up a
small hurdle
but I don’t
see it as a
serious one.

                                                      In

short, there
is almost no
setup that
will allow you
to completely
lock out root
with the
exception of a
few well
designed
appliances.
And that means
someone is out
there doing
support to get
things
resolved. This
system is not
of that flavor
and root is
necessary for
many things so
frankly adding
a hurdle or
two really
doesn’t
appreciably
make the
system more
secure.

                                                      Require

a long pass
phrase (say 20
mixed
characters or
so) and this
whole thing is
moot…

                                                      And

BTW - putting
sshd on port
222 (or
anything
except 22) is
security by
obscurity -
many tools can
find standard
protocols on
non-standard
ports (I
know, I wrote
one)

                                                      The

best bet is to
not allow ssh
at all. If
that is not
feasible then
do the su or
sudo thing
and/or set up
an
intermediate
system such
that you
access a
non-privileged
account on
system A, then
ssh to system
B and system B
will ONLY
accept ssh
from system A.
Still can be
beaten but it
is a bit
harder…

                                                      And

BTW - I have
done infosec
for about 20
years so I am
allowed to
have an
opinion on
this topic

Steven Donegan

                                                      KK6IVC General

Class FCC
License

                                                      Silver State

Car #86

                                                      [](http://www.sscc.us/)

---

From: Steve Zingman <
>
“”
<>
Monday,
October 5,
2015 2:24 PM
[App_rpt-users]
New Official
Allstar
Distribution
Released
(DIAL)

Dave,
Let's say I agree with you. And I well may.
On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN. I agree is common practice to not allow it.
Now the question is why?
As John McLaughlin would say, DISCUSS!
On 10/05/2015 08:40 AM, Steve Zingman wrote:
> *root login via SSH is now allowed*
> This is a bad idea. Root should *never* be allowed to login to a system > remotely. It's better to log in as a normal user and then become root > via su, sudo, etc.
> - Dave

-- "Anything is possible if you don't know what you are talking about."
1st Law of Logic

---

                                                      App_rpt-users

mailing list

                                                      To unsubscribe

from this list
please visit and scroll
down to the
bottom of the
page. Enter
your email
address and
press the
“Unsubscribe
or edit
options
button”
You do not
need a
password to
unsubscribe,
you can do it
via email
confirmation.
If you have
trouble
unsubscribing,
please send a
message to the
list detailing
the problem.

---

                                                                                                          App_rpt-users

mailing list

                                                  [](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)



                                                                                                          To

unsubscribe from
this list please
visit
and scroll down
to the bottom of
the page. Enter
your email
address and
press the
“Unsubscribe or
edit options
button”

                                                                                                          You do not

need a password
to unsubscribe,
you can do it
via email
confirmation. If
you have trouble
unsubscribing,
please send a
message to the
list detailing
the problem.

_______________________________________________
App_rpt-users mailing list
App_rpt-users@ohnosec.org
[http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)

To unsubscribe from this list please visit [http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users) and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

_______________________________________________
App_rpt-users mailing list
App_rpt-users@ohnosec.org
[http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)

To unsubscribe from this list please visit [http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users) and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

-- "Anything is possible if you don't know what you are talking about."
1st Law of Logic

-- "Anything is possible if you don't know what you are talking about."
1st Law of Logic

www.sscc.usszingman@msgstor.com
To:donegan@donegan.orgdavid@davidandrzejewski.com
Cc:"app_rpt-users@ohnosec.org"app_rpt-users@ohnosec.org
Sent:
Subject:
david@davidandrzejewski.com
To:donegan@donegan.org
Cc:bdboyle@bdboyle.com"app_rpt-users@ohnosec.org"app_rpt-users@ohnosec.org
Sent:
Subject:
bdboyle@bdboyle.com
To:donegan@donegan.org
Cc:szingman@msgstor.com"app_rpt-users@ohnosec.org"app_rpt-users@ohnosec.org
Sent:
Subject:
donegan@donegan.org
www.sscc.usszingman@msgstor.com
**To:**app_rpt-users@ohnosec.orgapp_rpt-users@ohnosec.org
Sent:
Subject:
App_rpt-users@ohnosec.org
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
App_rpt-users@ohnosec.orghttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-usershttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

On 10/05/2015 06:43 PM, Leon Zetekoff
wrote:

If I can throw in my $0.02

  from someone who has worked at a service provider doing managed

services (routers and firewalls) you want to heed NerdUno (Ward
Mundy’s) words to never expose Asterisk to the internet, and
especially since this is old ASterisk. You want some sort of
firewall appliance in front of it.

  I personally prefer VPN tunnels coming back in but you can get

crafty and do port forwards with unknown ports to like 22 and 80
but there’s always that risk of someone catching on. Tunnels are
the safest way to get back inside. You only want to expose only
the ports specifically necessary to do the job.

  73 leon wa4zlw

-- "Anything is possible if you don't know what you are talking about."
1st Law of Logic

    On 10/5/2015 6:17 PM, Bryan Fields

wrote:

    meh, it's more of a local policy thing.� I'd prefer it's not

enabled by default, but there are some reasons I could see for
enabling it.
On 10/5/15 4:56 PM, David AIf I can
throw inndrzejewski wrote:

This is a bad idea. Root should be allowed to login to a system remotely. It's better to log in as a normal user and then become root via su, sudo, etc.

never**

-- Bryan Fields
727-409-1194 - Voice
727-214-2508 - Fax

http://bryanfields.net

_______________________________________________
App_rpt-users mailing list
To unsubscribe from this list please visit and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

App_rpt-users@ohnosec.orghttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-usershttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

_______________________________________________
App_rpt-users mailing list
To unsubscribe from this list please visit and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

App_rpt-users@ohnosec.orghttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-usershttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

From: Steve Zingman szingman@msgstor.com
To: Steven Donegan donegan@donegan.org
Cc: “app_rpt-users@ohnosec.org” app_rpt-users@ohnosec.org
Sent: Monday, October 5, 2015 4:38 PM
Subject: Node security

As of right now it’s listening to 222 and 5038 on 127.0.0.1 TCP

and 4569 on UDP.

That's all.

  On 10/05/2015 07:15 PM, Steven Donegan wrote:

      Let me spin

up one of the DIAL setups - may take me a day - then see what
is enabled by default and hardening will be ‘easy’ (no
processes/ports active not absolutely required). Adding the CA
stuff will be easy as well if desired. Whatever the overall
direction is I can do security stuff

      Steven

Donegan

      KK6IVC General Class FCC License

      Silver State Car #86

      [www.sscc.us](http://www.sscc.us/)

---

From: Steve
Zingman szingman@msgstor.com
To:
Steven Donegan donegan@donegan.org ; David
Andrzejewski david@davidandrzejewski.com
Cc:
“app_rpt-users@ohnosec.org”
app_rpt-users@ohnosec.org
Sent:
Monday, October 5, 2015 4:04 PM
Subject:
Re: [App_rpt-users] New Official Allstar Distribution
Released (DIAL)

Sure,

              I think a hardening script might be in order (and

optional).

                  On

10/05/2015 06:55 PM, Steven Donegan wrote:

                    BTW - I have a

script to make a *NIX box a CA and generate
certificates - that could easily be added to the
DIAL/Pi/etc releases - let me see if I can
scrounge it up Assuming anyone would want
that ability and Steve is OK with it

                      Steven

Donegan

                      KK6IVC General Class FCC License

                      Silver State Car #86

                      [www.sscc.us](http://www.sscc.us/)

---

From:
David Andrzejewski david@davidandrzejewski.com
To:
Steven Donegan donegan@donegan.org

                            **Cc:**
                            Bryan D. Boyle <bdboyle@bdboyle.com>                                ;

“app_rpt-users@ohnosec.org”
app_rpt-users@ohnosec.org

                            **Sent:**
                            Monday, October 5, 2015 3:50 PM
                            **Subject:**
                            Re: [App_rpt-users] New Official Allstar

Distribution Released (DIAL)

                              Yep

• disallowing keyboard-interactive and
  accepting only certificates. I turn
  off PermitRootLogin and only allow
  certificates. Barring some kind of
  exploit in sshd, that ought to be
  secure enough.

                              Steven Donegan wrote:
  

                                    Using

certificates for ssh is yet
another method

Steven Donegan

                                      KK6IVC General Class FCC

License

                                      Silver State Car #86

                                      [www.sscc.us](http://www.sscc.us/)

---

From: Bryan D. Boyle bdboyle@bdboyle.com
To:
Steven Donegan donegan@donegan.org

                                            **Cc:**
                                            Steve Zingman <szingman@msgstor.com>                                                ;

“app_rpt-users@ohnosec.org”
app_rpt-users@ohnosec.org

                                            **Sent:**
                                            Monday, October 5, 2015

2:49 PM
Subject:
Re: [App_rpt-users] New
Official Allstar
Distribution Released
(DIAL)

                                                Using

a jump box as you
describe is one
way…not allowing
SSH from the outside
adds a layer;
setting up a secue
VDI capability to
the jumpbox over a
vpn is yet a third
way…;).

                                                my

rule: if it’s
exposed to the net,
it’s potentially
vulnerable. Just
turn on your SIP
port and pop some
popcorn to see…

                                                --

Bryan

                                                  Sent from my

iPhone 5.
…No
electrons were
harmed in the
sending of this
message.

                                                  On Oct 5, 2015, at > > > 17:39, Steven > > > Donegan <donegan@donegan.org > > >                                                       > > > > wrote:

                                                      Direct

root login
being
disallowed IF
there were no
other way to
get full root
privileges
(not the case
here) was
considered
best practice.
However in
almost every
case there is
a user (on
Raspbian user
pi) that can
simply login,
sudo -s and do
whatever they
want. Yes it
puts up a
small hurdle
but I don’t
see it as a
serious one.

                                                      In

short, there
is almost no
setup that
will allow you
to completely
lock out root
with the
exception of a
few well
designed
appliances.
And that means
someone is out
there doing
support to get
things
resolved. This
system is not
of that flavor
and root is
necessary for
many things so
frankly adding
a hurdle or
two really
doesn’t
appreciably
make the
system more
secure.

                                                      Require

a long pass
phrase (say 20
mixed
characters or
so) and this
whole thing is
moot…

                                                      And

BTW - putting
sshd on port
222 (or
anything
except 22) is
security by
obscurity -
many tools can
find standard
protocols on
non-standard
ports (I
know, I wrote
one)

                                                      The

best bet is to
not allow ssh
at all. If
that is not
feasible then
do the su or
sudo thing
and/or set up
an
intermediate
system such
that you
access a
non-privileged
account on
system A, then
ssh to system
B and system B
will ONLY
accept ssh
from system A.
Still can be
beaten but it
is a bit
harder…

                                                      And

BTW - I have
done infosec
for about 20
years so I am
allowed to
have an
opinion on
this topic

Steven Donegan

                                                      KK6IVC General

Class FCC
License

                                                      Silver State

Car #86

                                                      [](http://www.sscc.us/)[www.sscc.us](http://www.sscc.us/)

---

From: Steve Zingman szingman@msgstor.com
To:
"app_rpt-users@ohnosec.org "
<app_rpt-users@ohnosec.org
>
Sent:
Monday,
October 5,
2015 2:24 PM
Subject:
[App_rpt-users]
New Official
Allstar
Distribution
Released
(DIAL)

Dave,
Let's say I agree with you. And I well may.
On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN. I agree is common practice to not allow it.
Now the question is why?
As John McLaughlin would say, DISCUSS!
On 10/05/2015 08:40 AM, Steve Zingman wrote:
> *root login via SSH is now allowed*
> This is a bad idea. Root should *never* be allowed to login to a system > remotely. It's better to log in as a normal user and then become root > via su, sudo, etc.
> - Dave

-- "Anything is possible if you don't know what you are talking about."
1st Law of Logic

---

                                                      App_rpt-users

mailing list

                                                      App_rpt-users@ohnosec.org

                                                      [](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)[http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)



                                                      To unsubscribe

from this list
please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
and scroll
down to the
bottom of the
page. Enter
your email
address and
press the
“Unsubscribe
or edit
options
button”

                                                      You do not

need a
password to
unsubscribe,
you can do it
via email
confirmation.
If you have
trouble
unsubscribing,
please send a
message to the
list detailing
the problem.

---

                                                                                                          App_rpt-users

mailing list

                                                  App_rpt-users@ohnosec.org

                                                  [](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)[http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)



                                                                                                          To

unsubscribe from
this list please
visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
and scroll down
to the bottom of
the page. Enter
your email
address and
press the
“Unsubscribe or
edit options
button”

                                                                                                          You do not

need a password
to unsubscribe,
you can do it
via email
confirmation. If
you have trouble
unsubscribing,
please send a
message to the
list detailing
the problem.

_______________________________________________
App_rpt-users mailing list
App_rpt-users@ohnosec.org
[http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)

To unsubscribe from this list please visit [http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users) and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

_______________________________________________
App_rpt-users mailing list
App_rpt-users@ohnosec.org
[http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)

To unsubscribe from this list please visit [http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users) and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

-- "Anything is possible if you don't know what you are talking about."
1st Law of Logic

-- "Anything is possible if you don't know what you are talking about."
1st Law of Logic

On 10/05/2015 07:43 PM, Steven Donegan
wrote:

      5038 is

asterisk management port - I would suggest for hardening that
222 (whatever port is selected for ssh) and 4569 be firewalled
tightly and 5038 kept totally local. But this is all food for
further discussion

      Not having a currently running Debian system

handy - does it use iptables or firewalld? I have set up both
in a scripted fashion before.

      Steven

Donegan

      KK6IVC General Class FCC License

      Silver State Car #86

---

From:
Steve Zingman Steven Donegan Monday, October 5, 2015 4:38 PM
Node security

              As of right now it's listening to 222 and 5038 on

127.0.0.1 TCP

              and 4569 on UDP.



              That's all.

                  On

10/05/2015 07:15 PM, Steven Donegan wrote:

                      Let

me spin up one of the DIAL setups - may take
me a day - then see what is enabled by default
and hardening will be ‘easy’ (no
processes/ports active not absolutely
required). Adding the CA stuff will be easy as
well if desired. Whatever the overall
direction is I can do security stuff

                      Steven

Donegan

                      KK6IVC General Class FCC License

                      Silver State Car #86

                      [www.sscc.us](http://www.sscc.us/)

---

From:
Steve Zingman szingman@msgstor.com
To:
Steven Donegan ;
David Andrzejewski Monday, October 5, 2015 4:04 PM
Re: [App_rpt-users] New Official Allstar
Distribution Released (DIAL)

Sure,

                              I think a hardening script might be in

order (and optional).

                                  On

10/05/2015 06:55 PM, Steven
Donegan wrote:

                                    BTW

• I have a script to make a *NIX
  box a CA and generate
  certificates - that could easily
  be added to the DIAL/Pi/etc
  releases - let me see if I can
  scrounge it up Assuming
  anyone would want that ability
  and Steve is OK with it

Steven Donegan

                                      KK6IVC General Class FCC

License

                                      Silver State Car #86

                                      [www.sscc.us](http://www.sscc.us/)

---

From: David Andrzejewski Steven Donegan Bryan D. Boyle ; Monday, October 5, 2015
3:50 PM
Re: [App_rpt-users] New
Official Allstar
Distribution Released
(DIAL)

                                              Yep

• disallowing
  keyboard-interactive
  and accepting only
  certificates. I turn
  off PermitRootLogin
  and only allow
  certificates. Barring
  some kind of exploit
  in sshd, that ought to
  be secure enough.

                                                                                                  Steven Donegan
  

wrote:

                                                    Using

certificates for
ssh is yet
another method

Steven Donegan

                                                      KK6IVC General

Class FCC
License

                                                      Silver State

Car #86

---

From: Bryan D. Boyle Steven Donegan
Steve Zingman
; Monday,
October 5,
2015 2:49 PM
Re:
[App_rpt-users]
New Official
Allstar
Distribution
Released
(DIAL)

                                                      Using

a jump box as
you describe
is one
way…not
allowing SSH
from the
outside adds a
layer; setting
up a secue VDI
capability to
the jumpbox
over a vpn is
yet a third
way…;).

                                                      my

rule: if it’s
exposed to the
net, it’s
potentially
vulnerable.
Just turn on
your SIP port
and pop some
popcorn to
see…

                                                      --

Bryan

                                                      Sent from

my iPhone 5. …No electrons were harmed in the sending of
this message.

                                                      On Oct 5,

2015, at
17:39, Steven
Donegan <>
wrote:

                                                      Direct

root login
being
disallowed IF
there were no
other way to
get full root
privileges
(not the case
here) was
considered
best practice.
However in
almost every
case there is
a user (on
Raspbian user
pi) that can
simply login,
sudo -s and do
whatever they
want. Yes it
puts up a
small hurdle
but I don’t
see it as a
serious one.

                                                      In

short, there
is almost no
setup that
will allow you
to completely
lock out root
with the
exception of a
few well
designed
appliances.
And that means
someone is out
there doing
support to get
things
resolved. This
system is not
of that flavor
and root is
necessary for
many things so
frankly adding
a hurdle or
two really
doesn’t
appreciably
make the
system more
secure.

                                                      Require

a long pass
phrase (say 20
mixed
characters or
so) and this
whole thing is
moot…

                                                      And

BTW - putting
sshd on port
222 (or
anything
except 22) is
security by
obscurity -
many tools can
find standard
protocols on
non-standard
ports (I
know, I wrote
one)

                                                      The

best bet is to
not allow ssh
at all. If
that is not
feasible then
do the su or
sudo thing
and/or set up
an
intermediate
system such
that you
access a
non-privileged
account on
system A, then
ssh to system
B and system B
will ONLY
accept ssh
from system A.
Still can be
beaten but it
is a bit
harder…

                                                      And

BTW - I have
done infosec
for about 20
years so I am
allowed to
have an
opinion on
this topic

Steven Donegan

                                                      KK6IVC General

Class FCC
License

                                                      Silver State

Car #86

---

From: Steve Zingman <>
“”
<>
Monday,
October 5,
2015 2:24 PM
[App_rpt-users]
New Official
Allstar
Distribution
Released
(DIAL)

Dave,
Let's say I agree with you. And I well may.
On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN. I agree is common practice to not allow it.
Now the question is why?
As John McLaughlin would say, DISCUSS!
On 10/05/2015 08:40 AM, Steve Zingman wrote:
> *root login via SSH is now allowed*
> This is a bad idea. Root should *never* be allowed to login to a system > remotely. It's better to log in as a normal user and then become root > via su, sudo, etc.
> - Dave

-- "Anything is possible if you don't know what you are talking about."
1st Law of Logic

---

                                                      App_rpt-users

mailing list

                                                      To unsubscribe

from this list
please visit and scroll
down to the
bottom of the
page. Enter
your email
address and
press the
“Unsubscribe
or edit
options
button”
You do not
need a
password to
unsubscribe,
you can do it
via email
confirmation.
If you have
trouble
unsubscribing,
please send a
message to the
list detailing
the problem.

---

                                                      App_rpt-users

mailing list

                                                                                                                To

unsubscribe
from this list
please visit and scroll
down to the
bottom of the
page. Enter
your email
address and
press the
“Unsubscribe
or edit
options
button”

                                                                                                                You do

not need a
password to
unsubscribe,
you can do it
via email
confirmation.
If you have
trouble
unsubscribing,
please send a
message to the
list detailing
the problem.

_______________________________________________
App_rpt-users mailing list
App_rpt-users@ohnosec.org
[http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)

To unsubscribe from this list please visit [http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users) and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

_______________________________________________
App_rpt-users mailing list
App_rpt-users@ohnosec.org
[http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)

To unsubscribe from this list please visit [http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users) and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

-- "Anything is possible if you don't know what you are talking about."
1st Law of Logic

-- "Anything is possible if you don't know what you are talking about."
1st Law of Logic

-- "Anything is possible if you don't know what you are talking about."
1st Law of Logic

www.sscc.usszingman@msgstor.com
To:donegan@donegan.org
Cc:"app_rpt-users@ohnosec.org"app_rpt-users@ohnosec.org
Sent:
Subject:
donegan@donegan.orgdavid@davidandrzejewski.com
Cc:"app_rpt-users@ohnosec.org"app_rpt-users@ohnosec.org
Sent:
Subject:
david@davidandrzejewski.com
To:donegan@donegan.org
Cc:bdboyle@bdboyle.com"app_rpt-users@ohnosec.org"app_rpt-users@ohnosec.org
Sent:
Subject:
www.sscc.usbdboyle@bdboyle.com
To:donegan@donegan.org
Cc:szingman@msgstor.com"app_rpt-users@ohnosec.org"app_rpt-users@ohnosec.org
Sent:
Subject:
donegan@donegan.org
www.sscc.usszingman@msgstor.com
**To:**app_rpt-users@ohnosec.orgapp_rpt-users@ohnosec.org
Sent:
Subject:
App_rpt-users@ohnosec.org
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
App_rpt-users@ohnosec.orghttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-usershttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

On 10/05/2015 02:57 PM, Steven Donegan wrote:

Using certificates for ssh is yet another method

Steven Donegan
KK6IVC General Class FCC License
Silver State Car #86
www.sscc.us

------------------------------------------------------------------------
*From:* Bryan D. Boyle <bdboyle@bdboyle.com>
*To:* Steven Donegan <donegan@donegan.org>
*Cc:* Steve Zingman <szingman@msgstor.com>;
"app_rpt-users@ohnosec.org" <app_rpt-users@ohnosec.org>
*Sent:* Monday, October 5, 2015 2:49 PM
*Subject:* Re: [App_rpt-users] New Official Allstar Distribution
Released (DIAL)

Using a jump box as you describe is one way...not allowing SSH from
the outside adds a layer; setting up a secue VDI capability to the
jumpbox over a vpn is yet a third way...;).

my rule: if it's exposed to the net, it's potentially vulnerable.
Just turn on your SIP port and pop some popcorn to see...

--
Bryan
Sent from my iPhone 5...No electrons were harmed in the sending of
this message.

On Oct 5, 2015, at 17:39, Steven Donegan <donegan@donegan.org > <mailto:donegan@donegan.org>> wrote:

Direct root login being disallowed IF there were no other way to get
full root privileges (not the case here) was considered best
practice. However in almost every case there is a user (on Raspbian
user pi) that can simply login, sudo -s and do whatever they want.
Yes it puts up a small hurdle but I don't see it as a serious one.

In short, there is almost no setup that will allow you to completely
lock out root with the exception of a few well designed appliances.
And that means someone is out there doing support to get things
resolved. This system is not of that flavor and root is necessary for
many things so frankly adding a hurdle or two really doesn't
appreciably make the system more secure.

Require a long pass phrase (say 20 mixed characters or so) and this
whole thing is moot...

And BTW - putting sshd on port 222 (or anything except 22) is
security by obscurity - many tools can find standard protocols on
non-standard ports (I know, I wrote one)

The best bet is to not allow ssh at all. If that is not feasible then
do the su or sudo thing and/or set up an intermediate system such
that you access a non-privileged account on system A, then ssh to
system B and system B will ONLY accept ssh from system A. Still can
be beaten but it is a bit harder...

And BTW - I have done infosec for about 20 years so I am allowed to
have an opinion on this topic

Steven Donegan
KK6IVC General Class FCC License
Silver State Car #86
www.sscc.us <http://www.sscc.us/&gt;

------------------------------------------------------------------------
*From:* Steve Zingman <szingman@msgstor.com
<mailto:szingman@msgstor.com>>
*To:* "app_rpt-users@ohnosec.org <mailto:app_rpt-users@ohnosec.org>"
<app_rpt-users@ohnosec.org <mailto:app_rpt-users@ohnosec.org>>
*Sent:* Monday, October 5, 2015 2:24 PM
*Subject:* [App_rpt-users] New Official Allstar Distribution Released
(DIAL)

Dave,
Let's say I agree with you. And I well may.
On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN.
I agree is common practice to not allow it.
Now the question is why?

As John McLaughlin would say, DISCUSS!

On 10/05/2015 08:40 AM, Steve Zingman wrote:
>/root login via SSH is now allowed /
> This is a bad idea. Root should *never* be allowed to login to a system
> remotely. It's better to log in as a normal user and then become root
> via su, sudo, etc.

> - Dave

--
"Anything is possible if you don't know what you are talking about."
1st Law of Logic

_______________________________________________
App_rpt-users mailing list
App_rpt-users@ohnosec.org <mailto:App_rpt-users@ohnosec.org>
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll
down to the bottom of the page. Enter your email address and press
the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email
confirmation. If you have trouble unsubscribing, please send a
message to the list detailing the problem.

_______________________________________________
App_rpt-users mailing list
App_rpt-users@ohnosec.org <mailto:App_rpt-users@ohnosec.org>
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll
down to the bottom of the page. Enter your email address and press
the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email
confirmation. If you have trouble unsubscribing, please send a
message to the list detailing the problem.

_______________________________________________
App_rpt-users mailing list
App_rpt-users@ohnosec.org
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

On 10/05/2015 04:40 PM, Steve Zingman wrote:

Leon,
I've heard this before about old Asterisk. Any notes you can point to
detailing security issues in 1.4?

73, Steve N4IRS

On 10/05/2015 06:43 PM, Leon Zetekoff wrote:

If I can throw in my $0.02

from someone who has worked at a service provider doing managed
services (routers and firewalls) you want to heed NerdUno (Ward
Mundy's) words to never expose Asterisk to the internet, and
especially since this is old ASterisk. You want some sort of firewall
appliance in front of it.

I personally prefer VPN tunnels coming back in but you can get crafty
and do port forwards with unknown ports to like 22 and 80 but there's
always that risk of someone catching on. Tunnels are the safest way
to get back inside. You only want to expose only the ports
specifically necessary to do the job.

73 leon wa4zlw

On 10/5/2015 6:17 PM, Bryan Fields wrote:

On 10/5/15 4:56 PM, David AIf I can throw inndrzejewski wrote:

This is a bad idea. Root should *never* be allowed to login to a system
remotely. It's better to log in as a normal user and then become root
via su, sudo, etc.

meh, it's more of a local policy thing. I'd prefer it's not enabled
by default, but there are some reasons I could see for enabling it.

--
Bryan Fields

727-409-1194 - Voice
727-214-2508 - Fax
http://bryanfields.net

_______________________________________________
App_rpt-users mailing list
App_rpt-users@ohnosec.org
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

_______________________________________________
App_rpt-users mailing list
App_rpt-users@ohnosec.org
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

--
"Anything is possible if you don't know what you are talking about."
1st Law of Logic

_______________________________________________
App_rpt-users mailing list
App_rpt-users@ohnosec.org
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

On 10/05/2015 07:09 PM, Stacy wrote:

Take a look at the Digium website. The advisories are there.

IAX2 has one (if I remember correctly it eats up all the channel's
resources causing a denial of service).

Security Advisories ⋆ Asterisk

-Stacy
KG7QIN

On 10/05/2015 04:40 PM, Steve Zingman wrote:

Leon,
I've heard this before about old Asterisk. Any notes you can point to
detailing security issues in 1.4?

73, Steve N4IRS

On 10/05/2015 06:43 PM, Leon Zetekoff wrote:

If I can throw in my $0.02

from someone who has worked at a service provider doing managed
services (routers and firewalls) you want to heed NerdUno (Ward
Mundy's) words to never expose Asterisk to the internet, and
especially since this is old ASterisk. You want some sort of
firewall appliance in front of it.

I personally prefer VPN tunnels coming back in but you can get
crafty and do port forwards with unknown ports to like 22 and 80 but
there's always that risk of someone catching on. Tunnels are the
safest way to get back inside. You only want to expose only the
ports specifically necessary to do the job.

73 leon wa4zlw

On 10/5/2015 6:17 PM, Bryan Fields wrote:

On 10/5/15 4:56 PM, David AIf I can throw inndrzejewski wrote:

This is a bad idea. Root should *never* be allowed to login to a system
remotely. It's better to log in as a normal user and then become root
via su, sudo, etc.

meh, it's more of a local policy thing. I'd prefer it's not
enabled by default, but there are some reasons I could see for
enabling it.

--
Bryan Fields

727-409-1194 - Voice
727-214-2508 - Fax
http://bryanfields.net

_______________________________________________
App_rpt-users mailing list
App_rpt-users@ohnosec.org
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

_______________________________________________
App_rpt-users mailing list
App_rpt-users@ohnosec.org
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

--
"Anything is possible if you don't know what you are talking about."
1st Law of Logic

_______________________________________________
App_rpt-users mailing list
App_rpt-users@ohnosec.org
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

_______________________________________________
App_rpt-users mailing list
App_rpt-users@ohnosec.org
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

On 10/05/2015 10:09 PM, Stacy wrote:

-- "Anything is possible if you don't know what you are talking about."
1st Law of Logic

    Take a look at the Digium website.�

The advisories are there.

    IAX2 has one (if I remember correctly it eats up all the

channel’s resources causing a denial of service).

    -Stacy

KG7QIN
On 10/05/2015 04:40 PM, Steve Zingman wrote:

http://www.asterisk.org/downloads/security-advisories

Leon,

    I've heard this before about old Asterisk. Any notes you can

point to detailing security issues in 1.4?

    73, Steve N4IRS

      On 10/05/2015 06:43 PM, Leon

Zetekoff wrote:

If I can throw in my $0.02

      from someone who has worked at a service provider doing

managed services (routers and firewalls) you want to heed
NerdUno (Ward Mundy’s) words to never expose Asterisk to the
internet, and especially since this is old ASterisk. You want
some sort of firewall appliance in front of it.

      I personally prefer VPN tunnels coming back in but you can get

crafty and do port forwards with unknown ports to like 22 and
80 but there’s always that risk of someone catching on.
Tunnels are the safest way to get back inside. You only want
to expose only the ports specifically necessary to do the job.

      73 leon wa4zlw

        On 10/5/2015 6:17 PM, Bryan

Fields wrote:

        meh, it's more of a local policy thing.� I'd prefer it's not

enabled by default, but there are some reasons I could see
for enabling it.
On 10/5/15 4:56 PM, David AIf I
can throw inndrzejewski wrote:

This is a bad idea. Root should be allowed to login to a system remotely. It's better to log in as a normal user and then become root via su, sudo, etc.

never**

-- Bryan Fields
727-409-1194 - Voice
727-214-2508 - Fax

http://bryanfields.net

_______________________________________________
App_rpt-users mailing list
To unsubscribe from this list please visit and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

App_rpt-users@ohnosec.orghttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-usershttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

_______________________________________________
App_rpt-users mailing list
To unsubscribe from this list please visit and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

App_rpt-users@ohnosec.orghttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-usershttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

-- "Anything is possible if you don't know what you are talking about."
1st Law of Logic

_______________________________________________
App_rpt-users mailing list
To unsubscribe from this list please visit and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

App_rpt-users@ohnosec.orghttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-usershttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

On Mon, Oct 5, 2015 at 9:06 PM, Stacy kg7qin@arrl.net wrote:

  Certificates, two-factor authentication

and something like ssh-guard set to block on the first three
attempts with a really really long block threshold.

  Stacy

  KG7QIN




  On 10/05/2015 02:57 PM, Steven Donegan wrote:

    Using certificates for ssh is yet

another method

      Steven

Donegan

      KK6IVC General Class FCC License

      Silver State Car #86

      [www.sscc.us](http://www.sscc.us)

---

From: Bryan D.
Boyle bdboyle@bdboyle.com
To:
Steven Donegan donegan@donegan.org
Cc: Steve
Zingman szingman@msgstor.com ;
“app_rpt-users@ohnosec.org”
app_rpt-users@ohnosec.org
Sent:
Monday, October 5, 2015 2:49 PM
Subject:
Re: [App_rpt-users] New Official Allstar Distribution
Released (DIAL)

                Using a

jump box as you describe is one way…not allowing
SSH from the outside adds a layer; setting up a
secue VDI capability to the jumpbox over a vpn is
yet a third way…;).

                my rule: if

it’s exposed to the net, it’s potentially
vulnerable. Just turn on your SIP port and pop some
popcorn to see…

                --

Bryan

Sent from my iPhone 5. …No electrons were
harmed in the sending of this message.

                  On Oct 5, 2015, at 17:39, Steven Donegan <donegan@donegan.org                      >

wrote:

                        Direct

root login being disallowed IF there were no
other way to get full root privileges (not
the case here) was considered best practice.
However in almost every case there is a user
(on Raspbian user pi) that can simply login,
sudo -s and do whatever they want. Yes it
puts up a small hurdle but I don’t see it as
a serious one.

                        In

short, there is almost no setup that will
allow you to completely lock out root with
the exception of a few well designed
appliances. And that means someone is out
there doing support to get things resolved.
This system is not of that flavor and root
is necessary for many things so frankly
adding a hurdle or two really doesn’t
appreciably make the system more secure.

                        Require

a long pass phrase (say 20 mixed characters
or so) and this whole thing is moot…

                        And

BTW - putting sshd on port 222 (or anything
except 22) is security by obscurity - many
tools can find standard protocols on
non-standard ports (I know, I wrote one)

                        The

best bet is to not allow ssh at all. If that
is not feasible then do the su or sudo thing
and/or set up an intermediate system such
that you access a non-privileged account on
system A, then ssh to system B and system B
will ONLY accept ssh from system A. Still
can be beaten but it is a bit harder…

                        And

BTW - I have done infosec for about 20 years
so I am allowed to have an opinion on this
topic

                        Steven

Donegan

                        KK6IVC General Class FCC License

                        Silver State Car #86

                        [www.sscc.us](http://www.sscc.us/)

---

From:
Steve Zingman szingman@msgstor.com
To:
"app_rpt-users@ohnosec.org "
<app_rpt-users@ohnosec.org >
Sent:
Monday, October 5, 2015 2:24 PM
Subject:
[App_rpt-users] New Official Allstar
Distribution Released (DIAL)

Dave,
Let's say I agree with you. And I well may.
On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN. I agree is common practice to not allow it.
Now the question is why?
As John McLaughlin would say, DISCUSS!
On 10/05/2015 08:40 AM, Steve Zingman wrote:
> *root login via SSH is now allowed*
> This is a bad idea. Root should *never* be allowed to login to a system > remotely. It's better to log in as a normal user and then become root > via su, sudo, etc.
> - Dave

-- "Anything is possible if you don't know what you are talking about."
1st Law of Logic

---

                              App_rpt-users mailing list

                              App_rpt-users@ohnosec.org

                              [http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)



                              To unsubscribe from this list please

visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
and scroll down to the bottom of
the page. Enter your email address and
press the “Unsubscribe or edit options
button”

                              You do not need a password to

unsubscribe, you can do it via email
confirmation. If you have trouble
unsubscribing, please send a message
to the list detailing the problem.

---

                  App_rpt-users mailing list

                  App_rpt-users@ohnosec.org

                  [http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)



                  To unsubscribe from this list please visit [](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)[http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)
                    and scroll down to the bottom of the page. Enter

your email address and press the “Unsubscribe or
edit options button”

                                          You do not need a password to unsubscribe,

you can do it via email confirmation. If you
have trouble unsubscribing, please send a
message to the list detailing the problem.

_______________________________________________
App_rpt-users mailing list
App_rpt-users@ohnosec.org
[http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)

To unsubscribe from this list please visit [http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users) and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

---

App_rpt-users mailing list

App_rpt-users@ohnosec.org

http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the “Unsubscribe or edit options button”

You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

Loren Tedford (KC9ZHV)
Email: lorentedford@gmail.com

Main Line:1-631-686-8878 Option 1 for Loren.

Fax Line 1:1-618-551-2755

Fax Line 2:1-631-686-8892 (New Fax line)

Cell: 618-553-0806

http://www.lorentedford.com

http://www.kc9zhv.com

http://hub.kc9zhv.com

On 10/05/2015 07:30 PM, Loren Tedford wrote:

Personally I use Fail2ban

Loren Tedford (KC9ZHV)
Email: lorentedford@gmail.com <mailto:lorentedford@gmail.com>
Main Line:1-631-686-8878 Option 1 for Loren.
Fax Line 1:1-618-551-2755
Fax Line 2:1-631-686-8892 (New Fax line)
Cell: 618-553-0806
http://www.lorentedford.com <http://www.lorentedford.com/&gt;
http://www.kc9zhv.com
http://hub.kc9zhv.com

On Mon, Oct 5, 2015 at 9:06 PM, Stacy <kg7qin@arrl.net > <mailto:kg7qin@arrl.net>> wrote:

    Certificates, two-factor authentication and something like
    ssh-guard set to block on the first three attempts with a really
    really long block threshold.

    Stacy
    KG7QIN

    On 10/05/2015 02:57 PM, Steven Donegan wrote:

    Using certificates for ssh is yet another method
     
    Steven Donegan
    KK6IVC General Class FCC License
    Silver State Car #86
    www.sscc.us <http://www.sscc.us>

    ------------------------------------------------------------------------
    *From:* Bryan D. Boyle <bdboyle@bdboyle.com>
    <mailto:bdboyle@bdboyle.com>
    *To:* Steven Donegan <donegan@donegan.org>
    <mailto:donegan@donegan.org>
    *Cc:* Steve Zingman <szingman@msgstor.com>
    <mailto:szingman@msgstor.com>; "app_rpt-users@ohnosec.org"
    <mailto:app_rpt-users@ohnosec.org> <app_rpt-users@ohnosec.org>
    <mailto:app_rpt-users@ohnosec.org>
    *Sent:* Monday, October 5, 2015 2:49 PM
    *Subject:* Re: [App_rpt-users] New Official Allstar Distribution
    Released (DIAL)

    Using a jump box as you describe is one way...not allowing SSH
    from the outside adds a layer; setting up a secue VDI capability
    to the jumpbox over a vpn is yet a third way...;).

    my rule: if it's exposed to the net, it's potentially
    vulnerable. Just turn on your SIP port and pop some popcorn to
    see...

    --
    Bryan
    Sent from my iPhone 5...No electrons were harmed in the sending
    of this message.

    On Oct 5, 2015, at 17:39, Steven Donegan <donegan@donegan.org >> <mailto:donegan@donegan.org>> wrote:

    Direct root login being disallowed IF there were no other way to
    get full root privileges (not the case here) was considered best
    practice. However in almost every case there is a user (on
    Raspbian user pi) that can simply login, sudo -s and do whatever
    they want. Yes it puts up a small hurdle but I don't see it as a
    serious one.

    In short, there is almost no setup that will allow you to
    completely lock out root with the exception of a few well
    designed appliances. And that means someone is out there doing
    support to get things resolved. This system is not of that
    flavor and root is necessary for many things so frankly adding a
    hurdle or two really doesn't appreciably make the system more
    secure.

    Require a long pass phrase (say 20 mixed characters or so) and
    this whole thing is moot...

    And BTW - putting sshd on port 222 (or anything except 22) is
    security by obscurity - many tools can find standard protocols
    on non-standard ports (I know, I wrote one)

    The best bet is to not allow ssh at all. If that is not feasible
    then do the su or sudo thing and/or set up an intermediate
    system such that you access a non-privileged account on system
    A, then ssh to system B and system B will ONLY accept ssh from
    system A. Still can be beaten but it is a bit harder...

    And BTW - I have done infosec for about 20 years so I am allowed
    to have an opinion on this topic
     
    Steven Donegan
    KK6IVC General Class FCC License
    Silver State Car #86
    www.sscc.us <http://www.sscc.us/&gt;

    ------------------------------------------------------------------------
    *From:* Steve Zingman <szingman@msgstor.com
    <mailto:szingman@msgstor.com>>
    *To:* "app_rpt-users@ohnosec.org
    <mailto:app_rpt-users@ohnosec.org>" <app_rpt-users@ohnosec.org
    <mailto:app_rpt-users@ohnosec.org>>
    *Sent:* Monday, October 5, 2015 2:24 PM
    *Subject:* [App_rpt-users] New Official Allstar Distribution
    Released (DIAL)

    Dave,
    Let's say I agree with you. And I well may.
    On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN.
    I agree is common practice to not allow it.
    Now the question is why?

    As John McLaughlin would say, DISCUSS!

    On 10/05/2015 08:40 AM, Steve Zingman wrote:
    >/root login via SSH is now allowed /
    > This is a bad idea. Root should *never* be allowed to login to a system
    > remotely. It's better to log in as a normal user and then become root
    > via su, sudo, etc.

    > - Dave

    --
    "Anything is possible if you don't know what you are talking about."
    1st Law of Logic

    _______________________________________________
    App_rpt-users mailing list
    App_rpt-users@ohnosec.org <mailto:App_rpt-users@ohnosec.org>
    http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

    To unsubscribe from this list please visit
    http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and
    scroll down to the bottom of the page. Enter your email address
    and press the "Unsubscribe or edit options button"
    You do not need a password to unsubscribe, you can do it via
    email confirmation. If you have trouble unsubscribing, please
    send a message to the list detailing the problem.

    _______________________________________________
    App_rpt-users mailing list
    App_rpt-users@ohnosec.org <mailto:App_rpt-users@ohnosec.org>
    http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

    To unsubscribe from this list please visit
    http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and
    scroll down to the bottom of the page. Enter your email address
    and press the "Unsubscribe or edit options button"
    You do not need a password to unsubscribe, you can do it via
    email confirmation. If you have trouble unsubscribing, please
    send a message to the list detailing the problem.

    _______________________________________________
    App_rpt-users mailing list
    App_rpt-users@ohnosec.org <mailto:App_rpt-users@ohnosec.org>
    http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

    To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
    You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

    _______________________________________________
    App_rpt-users mailing list
    App_rpt-users@ohnosec.org <mailto:App_rpt-users@ohnosec.org>
    http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

    To unsubscribe from this list please visit
    http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and
    scroll down to the bottom of the page. Enter your email address
    and press the "Unsubscribe or edit options button"
    You do not need a password to unsubscribe, you can do it via email
    confirmation. If you have trouble unsubscribing, please send a
    message to the list detailing the problem.

On 10/05/2015 07:23 PM, Steve Zingman wrote:

There are going to be quite a few items to read.
In the case of AST-2009-006.pdf If I read this right the fix is Call
token validation.
Looking at the source on the SVN I see around line 300 support for the
token.
Lots more to read, one step at a time...

On 10/05/2015 10:09 PM, Stacy wrote:

Take a look at the Digium website. The advisories are there.

IAX2 has one (if I remember correctly it eats up all the channel's
resources causing a denial of service).

Security Advisories ⋆ Asterisk

-Stacy
KG7QIN

On 10/05/2015 04:40 PM, Steve Zingman wrote:

Leon,
I've heard this before about old Asterisk. Any notes you can point
to detailing security issues in 1.4?

73, Steve N4IRS

On 10/05/2015 06:43 PM, Leon Zetekoff wrote:

If I can throw in my $0.02

from someone who has worked at a service provider doing managed
services (routers and firewalls) you want to heed NerdUno (Ward
Mundy's) words to never expose Asterisk to the internet, and
especially since this is old ASterisk. You want some sort of
firewall appliance in front of it.

I personally prefer VPN tunnels coming back in but you can get
crafty and do port forwards with unknown ports to like 22 and 80
but there's always that risk of someone catching on. Tunnels are
the safest way to get back inside. You only want to expose only the
ports specifically necessary to do the job.

73 leon wa4zlw

On 10/5/2015 6:17 PM, Bryan Fields wrote:

On 10/5/15 4:56 PM, David AIf I can throw inndrzejewski wrote:

This is a bad idea. Root should *never* be allowed to login to a system
remotely. It's better to log in as a normal user and then become root
via su, sudo, etc.

meh, it's more of a local policy thing. I'd prefer it's not
enabled by default, but there are some reasons I could see for
enabling it.

--
Bryan Fields

727-409-1194 - Voice
727-214-2508 - Fax
http://bryanfields.net

_______________________________________________
App_rpt-users mailing list
App_rpt-users@ohnosec.org
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

_______________________________________________
App_rpt-users mailing list
App_rpt-users@ohnosec.org
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

--
"Anything is possible if you don't know what you are talking about."
1st Law of Logic

_______________________________________________
App_rpt-users mailing list
App_rpt-users@ohnosec.org
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

--
"Anything is possible if you don't know what you are talking about."
1st Law of Logic

On 10/5/15 10:36 PM, Stacy wrote:

  -- This message has been scanned for viruses and

dangerous content by
,
and is
believed to be clean.

-- Fred Moore
email: phone: 321-217-8699

Same difference.

    On 10/05/2015 07:30 PM, Loren Tedford wrote:

Personally I use Fail2ban

                      Loren

Tedford (KC9ZHV)

                      Email: lorentedford@gmail.com

                      Main

Line:1-631-686-8878 Option 1 for Loren.

                      Fax

Line 1:1-618-551-2755

                      Fax

Line 2:1-631-686-8892 (New Fax line)

                        Cell:

618-553-0806

        On Mon, Oct 5, 2015 at 9:06 PM, Stacy

kg7qin@arrl.net
wrote:

              Certificates, two-factor authentication and

something like ssh-guard set to block on the first
three attempts with a really really long block
threshold.

                  Stacy

                  KG7QIN




                  On 10/05/2015 02:57 PM, Steven Donegan wrote:

                    Using

certificates for ssh is yet another method

Steven Donegan

                      KK6IVC General Class FCC License

                      Silver State Car #86

                      [www.sscc.us](http://www.sscc.us)

---

                            **From:**
                            Bryan D. Boyle

                            Steven Donegan Steve Zingman ;

Monday, October 5, 2015 2:49 PM
Re: [App_rpt-users] New Official Allstar
Distribution Released (DIAL)

                                Using a jump box as you describe

is one way…not allowing SSH from
the outside adds a layer; setting up
a secue VDI capability to the
jumpbox over a vpn is yet a third
way…;).

                                my rule: if it's exposed to the

net, it’s potentially vulnerable.
Just turn on your SIP port and pop
some popcorn to see…

                                --

Bryan

Sent from my iPhone 5. …No
electrons were harmed in the
sending of this message.

                                  On Oct 5, 2015, at 17:39, Steven

Donegan <> wrote:

                                        Direct root login being

disallowed IF there were no
other way to get full root
privileges (not the case
here) was considered best
practice. However in almost
every case there is a user
(on Raspbian user pi) that
can simply login, sudo -s
and do whatever they want.
Yes it puts up a small
hurdle but I don’t see it as
a serious one.

                                        In short, there is almost

no setup that will allow you
to completely lock out root
with the exception of a few
well designed appliances.
And that means someone is
out there doing support to
get things resolved. This
system is not of that flavor
and root is necessary for
many things so frankly
adding a hurdle or two
really doesn’t appreciably
make the system more secure.

                                        Require a long pass

phrase (say 20 mixed
characters or so) and this
whole thing is moot…

                                        And BTW - putting sshd on

port 222 (or anything except
22) is security by obscurity

• many tools can find
  standard protocols on
  non-standard ports (I
  know, I wrote one)

                                        The best bet is to not

allow ssh at all. If that is
not feasible then do the su
or sudo thing and/or set up
an intermediate system such
that you access a
non-privileged account on
system A, then ssh to system
B and system B will ONLY
accept ssh from system A.
Still can be beaten but it
is a bit harder…

                                        And BTW - I have done

infosec for about 20 years
so I am allowed to have an
opinion on this topic

Steven Donegan

                                        KK6IVC General Class FCC

License

                                        Silver State Car #86

                                        [www.sscc.us](http://www.sscc.us/)

---

                                              **From:**
                                              Steve Zingman <>

“”
<>
Monday, October 5,
2015 2:24 PM
[App_rpt-users] New
Official Allstar
Distribution Released
(DIAL)

Dave,
Let's say I agree with you. And I well may.
On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN. I agree is common practice to not allow it.
Now the question is why?
As John McLaughlin would say, DISCUSS!
On 10/05/2015 08:40 AM, Steve Zingman wrote:
> *root login via SSH is now allowed*
> This is a bad idea. Root should *never* be allowed to login to a system > remotely. It's better to log in as a normal user and then become root > via su, sudo, etc.
> - Dave

-- "Anything is possible if you don't know what you are talking about."
1st Law of Logic

---

                                              App_rpt-users mailing

list

                                              To unsubscribe from

this list please visit
and scroll down to the
bottom of the page.
Enter your email
address and press the
“Unsubscribe or edit
options button”
You do not need a
password to
unsubscribe, you can
do it via email
confirmation. If you
have trouble
unsubscribing, please
send a message to the
list detailing the
problem.

---

                                  App_rpt-users mailing list

                                  App_rpt-users@ohnosec.org

                                  [http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)



                                                                          To unsubscribe from this

list please visit and scroll down to the bottom of
the page. Enter your email
address and press the
“Unsubscribe or edit options
button”

                                                                          You do not need a password

to unsubscribe, you can do it
via email confirmation. If you
have trouble unsubscribing,
please send a message to the
list detailing the problem.

_______________________________________________
App_rpt-users mailing list
App_rpt-users@ohnosec.org
[http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)

To unsubscribe from this list please visit [http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users) and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

          _______________________________________________

          App_rpt-users mailing list

          App_rpt-users@ohnosec.org

          [http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)



          To unsubscribe from this list please visit and scroll down to the bottom of the page. Enter your

email address and press the “Unsubscribe or edit options
button”
You do not need a password to unsubscribe, you can do it
via email confirmation. If you have trouble unsubscribing,
please send a message to the list detailing the problem.

http://www.lorentedford.comhttp://www.kc9zhv.comhttp://hub.kc9zhv.combdboyle@bdboyle.com
To:donegan@donegan.org
Cc:szingman@msgstor.com"app_rpt-users@ohnosec.org"app_rpt-users@ohnosec.org
Sent:
Subject:
donegan@donegan.org
szingman@msgstor.com
**To:**app_rpt-users@ohnosec.orgapp_rpt-users@ohnosec.org
Sent:
Subject:
App_rpt-users@ohnosec.org
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-usershttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
MailScanner

_______________________________________________
App_rpt-users mailing list
To unsubscribe from this list please visit and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

App_rpt-users@ohnosec.orghttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-usershttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-usersfred@fmeco.comfred@safes.com

--------------------------------------------------