[arm-allstar] Allstar security justification for local college

David McGough kb4fxc at inttek.net
Mon Aug 14 11:03:36 EST 2017 

Another recommended strategy with ssh is to use an obscure TCP port, which 
is already done by using port 222; however, I would probably recommend 
using an even "more" obscure high port number (e.g.: 5295). This will stop 
99.99% of "script kiddies" in their tracks.

fail2ban is a wonderful tool, but it can be -very- resource intensive.

73, David KB4FXC 

On Mon, 14 Aug 2017, "Tom Hayward via arm-allstar" wrote:

> The best way to secure SSH is to disable password authentication and
> use only keys. This way you don't have to worry about the strength of
> your password.
> 
> To do this, first paste your public key in /root/.ssh/authorized_keys.
> Then test it. You should not be prompted for a password when you log
> in.
> 
> Then open /etc/ssh/sshd_config and add the line:
> PasswordAuthentication no
> 
> Then run:
> systemctl reload sshd.service
> 
> Tom KD7LXL
> 
> On Mon, Aug 14, 2017 at 7:36 AM, "LaRoy McCann via arm-allstar"
> <arm-allstar at hamvoip.org> wrote:
> > I was ask to help a local club add an Allstar / Echolink interface to their
> > existing repeater controller.
> > They presently use an RF link to provide their repeater with Echolink but
> > are wanting to use a Pi and Allstar since they have internet access and do
> > away with the RF link.
> >
> > Their repeater is located at a local college and the IT department wants to
> > know about the Pi and it's security before they provide internet access for
> > it.  I was starting to do a security write-up but was wondering if anyone
> > has anything they have prepared before and would be willing to share it.
> >
> > Anyone have any suggestions that I need to do in order to make it as secure
> > as possible.
> > I intend to place this behind a mikrotik router and block all ports except
> > for the ones needed by allstar, echolink and ssh and do the same on the
> > Hamvoip image.
> >
> > Should I add fail2ban?
> >
> >
> > LaRoy K5TW
> >
> >
> >
> > ---
> > This email has been checked for viruses by Avast antivirus software.
> > https://www.avast.com/antivirus
> >
> > _______________________________________________
> >
> > arm-allstar mailing list
> > arm-allstar at hamvoip.org
> > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> >
> > Visit the BBB and RPi2/3 web page - http://hamvoip.org
> _______________________________________________
> 
> arm-allstar mailing list
> arm-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> 
> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>

More information about the arm-allstar mailing list