[arm-allstar] Allstar security justification for local college

Doug Crompton wa3dsp at gmail.com
Mon Aug 14 15:47:40 EST 2017 

Laroy,

 Yes you can still login at the terminal assuming you have not forgotten
the password.

Also be aware that the key process while better in many situations for
login it does have the same problems of losing a key and you would still
have to distribute and protect that key for all users that would have
access to the system.

Personally I would go with a strong password and an obscure port especially
when more than one person from different locations has access. Here is some
good on on ssh and keys...


https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server


*73 Doug*

*WA3DSP*

*http://www.crompton.com/hamradio <http://www.crompton.com/hamradio>*


On Mon, Aug 14, 2017 at 3:45 PM, "LaRoy McCann via arm-allstar" <
arm-allstar at hamvoip.org> wrote:

> Yes, but that's true for any system.
> I believe what Tom was talking about was just for ssh services, disabling
> password authentication with ssh.
> Correct me if I am wrong but I don't think changing password
> authentication in /etc/ssh/sshd_config will keep you from logging in on the
> local console, will it?
>
> LaRoy K5TW
>
> On 8/14/2017 1:53 PM, "Doug Crompton via arm-allstar" wrote:
>
>> Still need to login so not if you didn't have the PW or it didn't work.
>>
>> On Mon, Aug 14, 2017 at 1:46 PM, "LaRoy McCann via arm-allstar" <
>> arm-allstar at hamvoip.org> wrote:
>>
>> But I guess you could always just connect a keyboard and monitor and
>>> login?
>>>
>>>
>>> On 8/14/2017 11:56 AM, "Doug Crompton via arm-allstar" wrote:
>>>
>>> Just a warning, be careful adjusting ssh stuff. If you end up not being
>>>> able to login you  are hosed! At that point your only options are to
>>>> build
>>>> a new image or bring the SD card up on a running Linux system and alter
>>>> things there.
>>>>
>>>>
>>>> *73 Doug*
>>>>
>>>> *WA3DSP*
>>>>
>>>> *http://www.crompton.com/hamradio <http://www.crompton.com/hamradio>*
>>>>
>>>>
>>>> On Mon, Aug 14, 2017 at 12:04 PM, "LaRoy McCann via arm-allstar" <
>>>> arm-allstar at hamvoip.org> wrote:
>>>>
>>>> Thanks Tom, that's a good point.  I should be doing that on all my stuff
>>>>
>>>>> already but I guess I have been a little lazy.
>>>>> I will work on getting that setup.
>>>>>
>>>>> LaRoy K5TW
>>>>>
>>>>> On 8/14/2017 10:31 AM, "Tom Hayward via arm-allstar" wrote:
>>>>>
>>>>> The best way to secure SSH is to disable password authentication and
>>>>>
>>>>>> use only keys. This way you don't have to worry about the strength of
>>>>>> your password.
>>>>>>
>>>>>> To do this, first paste your public key in /root/.ssh/authorized_keys.
>>>>>> Then test it. You should not be prompted for a password when you log
>>>>>> in.
>>>>>>
>>>>>> Then open /etc/ssh/sshd_config and add the line:
>>>>>> PasswordAuthentication no
>>>>>>
>>>>>> Then run:
>>>>>> systemctl reload sshd.service
>>>>>>
>>>>>> Tom KD7LXL
>>>>>>
>>>>>> On Mon, Aug 14, 2017 at 7:36 AM, "LaRoy McCann via arm-allstar"
>>>>>> <arm-allstar at hamvoip.org> wrote:
>>>>>>
>>>>>> I was ask to help a local club add an Allstar / Echolink interface to
>>>>>>
>>>>>>> their
>>>>>>> existing repeater controller.
>>>>>>> They presently use an RF link to provide their repeater with Echolink
>>>>>>> but
>>>>>>> are wanting to use a Pi and Allstar since they have internet access
>>>>>>> and
>>>>>>> do
>>>>>>> away with the RF link.
>>>>>>>
>>>>>>> Their repeater is located at a local college and the IT department
>>>>>>> wants
>>>>>>> to
>>>>>>> know about the Pi and it's security before they provide internet
>>>>>>> access
>>>>>>> for
>>>>>>> it.  I was starting to do a security write-up but was wondering if
>>>>>>> anyone
>>>>>>> has anything they have prepared before and would be willing to share
>>>>>>> it.
>>>>>>>
>>>>>>> Anyone have any suggestions that I need to do in order to make it as
>>>>>>> secure
>>>>>>> as possible.
>>>>>>> I intend to place this behind a mikrotik router and block all ports
>>>>>>> except
>>>>>>> for the ones needed by allstar, echolink and ssh and do the same on
>>>>>>> the
>>>>>>> Hamvoip image.
>>>>>>>
>>>>>>> Should I add fail2ban?
>>>>>>>
>>>>>>>
>>>>>>> LaRoy K5TW
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ---
>>>>>>> This email has been checked for viruses by Avast antivirus software.
>>>>>>> https://www.avast.com/antivirus
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>>
>>>>>>> arm-allstar mailing list
>>>>>>> arm-allstar at hamvoip.org
>>>>>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>>>>>>
>>>>>>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>>
>>>>>> arm-allstar mailing list
>>>>>> arm-allstar at hamvoip.org
>>>>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>>>>>
>>>>>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>>
>>>>> arm-allstar mailing list
>>>>> arm-allstar at hamvoip.org
>>>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>>>>
>>>>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>>
>>>> arm-allstar mailing list
>>>> arm-allstar at hamvoip.org
>>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>>>
>>>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>>>
>>>>
>>>> _______________________________________________
>>>
>>> arm-allstar mailing list
>>> arm-allstar at hamvoip.org
>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>>
>>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>>
>>>
>>> _______________________________________________
>>
>> arm-allstar mailing list
>> arm-allstar at hamvoip.org
>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>
>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>
>>
> _______________________________________________
>
> arm-allstar mailing list
> arm-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>
> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>
>

More information about the arm-allstar mailing list