Re: [tor-relays] List of Relays' Available SSH Auth Methods

[Ryan Getz <ryan2@xxxxxxxxxxxx>]

On Tue, Nov 18, 2014, at 11:45 AM, Zack Weinberg wrote:
> On Tue, Nov 18, 2014 at 11:15 AM, Toralf Förster <toralf.foerster@xxxxxx>
> wrote:
> > On 11/18/2014 04:28 PM, Jeroen Massar wrote:
> >> People should realize though that it is not 'safer' in any way running
> >> SSH on another port.
> >
> > But it is (slightly) more expensive - which counts, or ?
> 
> In my limited experience, moving SSH to another port made no apparent
> difference to the number of random attempts to break in.  I'd
> recommend fail2ban or equivalent instead.
> 
> zw


I definitely agree with this. I don't have hard metrics to share but in
my time working for a hosting provider, I saw very limited benefit to
changing the default port. Yes, some scanners and software won't scan
you if you aren't running on port 22 but the amount of scanning that
also covered non-standard ports made it mostly a moot point. However,
you're mileage may vary based on your provider (certain ip blocks are
hit harder/more frequently than others).  Fail2ban generally provides
better protection that strictly using a different port as far as I've
seen. 

As, Libertas said, pub key auth is generally best... or even for some,
disabling SSH altogether may be possible. If your relay is a VPS and you
have access to a (java) console or some form of IPMI/drac/iLo
management, you may not even need ssh access but these could open up
additional security issues (particularly old firmware for out of band
management).

Regards,
Ryan
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays