[arm-allstar] Allstar security justification for local college
Tom Hayward
tom at tomh.us
Mon Aug 14 14:50:07 EST 2017
Yes, the instructions I provided only affect SSH password login, not
local keyboard/monitor access. The key clue to this is the file I
suggested modifying is /etc/ssh/sshd_config (based on the name it is
clearly related to SSH).
Tom KD7LXL
On Mon, Aug 14, 2017 at 12:45 PM, "LaRoy McCann via arm-allstar"
<arm-allstar at hamvoip.org> wrote:
> Yes, but that's true for any system.
> I believe what Tom was talking about was just for ssh services, disabling
> password authentication with ssh.
> Correct me if I am wrong but I don't think changing password authentication
> in /etc/ssh/sshd_config will keep you from logging in on the local console,
> will it?
>
> LaRoy K5TW
>
>
> On 8/14/2017 1:53 PM, "Doug Crompton via arm-allstar" wrote:
>>
>> Still need to login so not if you didn't have the PW or it didn't work.
>>
>> On Mon, Aug 14, 2017 at 1:46 PM, "LaRoy McCann via arm-allstar" <
>> arm-allstar at hamvoip.org> wrote:
>>
>>> But I guess you could always just connect a keyboard and monitor and
>>> login?
>>>
>>>
>>> On 8/14/2017 11:56 AM, "Doug Crompton via arm-allstar" wrote:
>>>
>>>> Just a warning, be careful adjusting ssh stuff. If you end up not being
>>>> able to login you are hosed! At that point your only options are to
>>>> build
>>>> a new image or bring the SD card up on a running Linux system and alter
>>>> things there.
>>>>
>>>>
>>>> *73 Doug*
>>>>
>>>> *WA3DSP*
>>>>
>>>> *http://www.crompton.com/hamradio <http://www.crompton.com/hamradio>*
>>>>
>>>>
>>>> On Mon, Aug 14, 2017 at 12:04 PM, "LaRoy McCann via arm-allstar" <
>>>> arm-allstar at hamvoip.org> wrote:
>>>>
>>>> Thanks Tom, that's a good point. I should be doing that on all my stuff
>>>>>
>>>>> already but I guess I have been a little lazy.
>>>>> I will work on getting that setup.
>>>>>
>>>>> LaRoy K5TW
>>>>>
>>>>> On 8/14/2017 10:31 AM, "Tom Hayward via arm-allstar" wrote:
>>>>>
>>>>> The best way to secure SSH is to disable password authentication and
>>>>>>
>>>>>> use only keys. This way you don't have to worry about the strength of
>>>>>> your password.
>>>>>>
>>>>>> To do this, first paste your public key in /root/.ssh/authorized_keys.
>>>>>> Then test it. You should not be prompted for a password when you log
>>>>>> in.
>>>>>>
>>>>>> Then open /etc/ssh/sshd_config and add the line:
>>>>>> PasswordAuthentication no
>>>>>>
>>>>>> Then run:
>>>>>> systemctl reload sshd.service
>>>>>>
>>>>>> Tom KD7LXL
>>>>>>
>>>>>> On Mon, Aug 14, 2017 at 7:36 AM, "LaRoy McCann via arm-allstar"
>>>>>> <arm-allstar at hamvoip.org> wrote:
>>>>>>
>>>>>> I was ask to help a local club add an Allstar / Echolink interface to
>>>>>>>
>>>>>>> their
>>>>>>> existing repeater controller.
>>>>>>> They presently use an RF link to provide their repeater with Echolink
>>>>>>> but
>>>>>>> are wanting to use a Pi and Allstar since they have internet access
>>>>>>> and
>>>>>>> do
>>>>>>> away with the RF link.
>>>>>>>
>>>>>>> Their repeater is located at a local college and the IT department
>>>>>>> wants
>>>>>>> to
>>>>>>> know about the Pi and it's security before they provide internet
>>>>>>> access
>>>>>>> for
>>>>>>> it. I was starting to do a security write-up but was wondering if
>>>>>>> anyone
>>>>>>> has anything they have prepared before and would be willing to share
>>>>>>> it.
>>>>>>>
>>>>>>> Anyone have any suggestions that I need to do in order to make it as
>>>>>>> secure
>>>>>>> as possible.
>>>>>>> I intend to place this behind a mikrotik router and block all ports
>>>>>>> except
>>>>>>> for the ones needed by allstar, echolink and ssh and do the same on
>>>>>>> the
>>>>>>> Hamvoip image.
>>>>>>>
>>>>>>> Should I add fail2ban?
>>>>>>>
>>>>>>>
>>>>>>> LaRoy K5TW
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ---
>>>>>>> This email has been checked for viruses by Avast antivirus software.
>>>>>>> https://www.avast.com/antivirus
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>>
>>>>>>> arm-allstar mailing list
>>>>>>> arm-allstar at hamvoip.org
>>>>>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>>>>>>
>>>>>>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>
>>>>>> arm-allstar mailing list
>>>>>> arm-allstar at hamvoip.org
>>>>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>>>>>
>>>>>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>
>>>>> arm-allstar mailing list
>>>>> arm-allstar at hamvoip.org
>>>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>>>>
>>>>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>
>>>> arm-allstar mailing list
>>>> arm-allstar at hamvoip.org
>>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>>>
>>>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>>>
>>>>
>>> _______________________________________________
>>>
>>> arm-allstar mailing list
>>> arm-allstar at hamvoip.org
>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>>
>>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>>
>>>
>> _______________________________________________
>>
>> arm-allstar mailing list
>> arm-allstar at hamvoip.org
>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>
>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>
>
> _______________________________________________
>
> arm-allstar mailing list
> arm-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>
> Visit the BBB and RPi2/3 web page - http://hamvoip.org
More information about the arm-allstar
mailing list