[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-relays] List of Relays' Available SSH Auth Methods
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Password brute-forcing is still a threat with fail2ban because your
username and password can be compromised without your knowledge more
easily than a private key. It's discussed in this talk, which I linked
earlier:
http://www.bsdcan.org/2013/schedule/events/403.en.html
On 11/18/2014 01:10 PM, Dan Rogers wrote:
>
>
> IMO there could occasionally be reasons not to use key logins
> (although I do normally disable pwd login). E.g. if I have a key, I
> then have evidence somewhere (USB/HD), whereas a secure password
> can be kept only in my head (until they waterboard me). Especially
> in countries (e.g. the UK) that can force you to hand over
> encryption keys. I'd rather have an insecure Tor node than get
> arrested (although tbh with fail2ban installed I don't think pwd
> bruteforcing is a threat).
>
>
>
> On 18/11/14 17:46, Jeroen Massar wrote:
>> On 2014-11-18 18:38, Kevin de Bie wrote:
>>> Fail2Ban works really well. Shifting to a non standard port
>>> only stops the scriptkids from having too much automated
>>> options and does not do anything for actual security. For this
>>> reason I personally never bothered with that. Non standard
>>> username and password auth with fail2ban makes brute forcing
>>> practically impossible, this is usually how I have things
>>> configured.
>> Just changing it to key-based authentication stops ALL
>> password-guessing attacks.
>>
>> You will then be left with the logs though.
>>
>>
>> Hence lets make a little list for clarity in order of "should at
>> least do":
>>
>> - Use SSH Authentication - Disable Password Authentication - Use
>> Fail2ban - Restrict on IP address (no need for fail2ban then)
>>
>> Greets, Jeroen
>>
>> _______________________________________________ tor-relays
>> mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
> -- Dan Rogers +44 7539 552349 skype: dan.j.rogers gpg key
> <https://secure.techwang.com/gpg/public_key.txt> linkedin
> <http://www.linkedin.com/in/danrogerslondon> | twitter
> <http://twitter.com/danjrog> | spotify
> <http://open.spotify.com/user/bonkbonkonk> | music
> <http://holdingitwrong.com>
>
>
> _______________________________________________ tor-relays mailing
> list tor-relays@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUa5VOAAoJELxHvGCsI27NvhIP/0kdxT73mPKYFzQLctqFfl7L
k3nYWDbTJ2vSY6KC1HGt0RLuyKzOXFSWiKRRC0JGlbWZQXOxzi5HBd1pnOtCixe4
E2FfjzMkHmRrhhuy6/MyijUaQzKfBr6CCXMgxojMIIWJ0tpQAwABJ4IyBM8bPyXF
Bhck3HndiMOSP9K5KteSvRmpgXodkU6lZiAKsRBj4JgQCtQVP3eB9s0LUx14TFAY
8/dkAO2gxCb2UMiklcHChSRFYVXUdwUdJYa8HFcl6E7yG8VPWDIlhYvQHPlhlBr/
blM6mZj3E4vxe2UsPkKTneXUPDytWxgjmyFFJjfFJvWF25EFdoMhYc3Bsh/c5Fva
vC3ubRChtNYpa+t8nea7ENzDzS3C4N1vK3KhE9x09Ovy5TPthslEJnCkfGcbep++
KuzUswrgcsxyRsD78/ln4ysmKNIkt0vTSK/dfNL2/UYva8xww2vAIVRKE5AaivNx
wf1f08hh6GAcN7e+/dkfOpQJjoXFARL4efbt7t5xUeROvkq4LXpu+HMxdC5RilRA
2KKBEaSZOH+r0k1YKhep0mrZ2GgrheLks2Jok2+B39T2eNsngYVd2g2TL2DhtDIO
3y1y2UNszjV04c7VnSZ/6Ys7G/+SxGADypjSW+t4sKDfI8fx7usIOpe89pUZnFm7
d0sweNIx3Egl3r9VGRLL
=rjAl
-----END PGP SIGNATURE-----
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays