[arm-allstar] Allstar security justification for local college
Doug Crompton
wa3dsp at gmail.com
Mon Aug 14 10:09:19 EST 2017
Laroy,
What you propose sounds good. Allstar is a relatively secure system when
used properly. The main issue is people using simple passwords. The main
entry point is ssh and once someone gets in they have access to your entire
network and could access other systems where there are poor passwords. If
you don't need remote access don't port forward ssh but in your case I
think it would be necessary.
Don't open any sip or manager ports to the outside or any other ports
besides ssh, iax, and required echolink. Use a secure ssh password. That is
at least 10 characters and mixed case, numerics, and special characters.
Don't give the PW out to more than are necessary and change it regularly.
Don't implement web access. There should not be any Linux issues as we keep
on top of any security problems and would issue an update should one occur.
fail2ban or any program that shows and foils attempted entry would be a
good addition. It would also show them that you are serious about security.
*73 Doug*
*WA3DSP*
*http://www.crompton.com/hamradio <http://www.crompton.com/hamradio>*
On Mon, Aug 14, 2017 at 10:36 AM, "LaRoy McCann via arm-allstar" <
arm-allstar at hamvoip.org> wrote:
> I was ask to help a local club add an Allstar / Echolink interface to
> their existing repeater controller.
> They presently use an RF link to provide their repeater with Echolink but
> are wanting to use a Pi and Allstar since they have internet access and do
> away with the RF link.
>
> Their repeater is located at a local college and the IT department wants
> to know about the Pi and it's security before they provide internet access
> for it. I was starting to do a security write-up but was wondering if
> anyone has anything they have prepared before and would be willing to share
> it.
>
> Anyone have any suggestions that I need to do in order to make it as
> secure as possible.
> I intend to place this behind a mikrotik router and block all ports except
> for the ones needed by allstar, echolink and ssh and do the same on the
> Hamvoip image.
>
> Should I add fail2ban?
>
>
> LaRoy K5TW
>
>
>
> ---
> This email has been checked for viruses by Avast antivirus software.
> https://www.avast.com/antivirus
>
> _______________________________________________
>
> arm-allstar mailing list
> arm-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>
> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>
>
More information about the arm-allstar
mailing list