[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-relays] List of Relays' Available SSH Auth Methods
On Tue, Nov 18, 2014 at 10:09:37AM -0500, Libertas wrote:
> Hi, everyone. Linked below is a list of relays that were live last night
> along with the SSH authentication methods they support:
[snip]
> Generally, it is far more secure to allow only public key auth.
This is great advice, and thanks for doing this scan! But I have one
question about another piece of advice:
> * SSH being served on a non-standard port - something other than port
> 22. This is a good idea, as many brute-force attackers will only
> bother trying port 22.
I don't understand why, for a system that has gotten any security review
at all, moving ssh to another port is "a good idea".
If your ssh config is secure against password brute forcing, then it
simply doesn't matter that botnets are crashing against the gate, and
"change your port" or "run fail2ban" seem pointless. The only
difference is the amount of logspew that is generated.
If your ssh config is insecure (PasswordAuthentication Yes and you have
a bruteforceable password) then moving to another port, or running
fail2ban, does not help the situation much against any determined
attacker; the real attackers have millions of compromised hosts to
bruteforce from (or entire ASes to spoof from), and if your config is
sufficiently insecure that root/b4mb1 is going to work, you're not
likely to install fail2ban *either*.
So for my systems, I set passwords to be [a-zA-Z0-9]{10} from urandom,
and I generally (but not always) turn off PasswordAuthentication, and I
keep sshd up-to-date, but I don't change from port 22 nor do I ever run
fail2ban.
-andy
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays