<p dir="ltr">You could also just want on the spot access to your box without needing some key. I personally believe a proper un/pw combination used in conjunction with fail2ban is sufficiently secure for pretty much anything that is not a high risk target. <br>
</p>
<br><div class="gmail_quote">Op 19:10 di 18 nov. 2014 schreef Dan Rogers <<a href="mailto:dan@holdingitwrong.com">dan@holdingitwrong.com</a>>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<br>
<br>
IMO there could occasionally be reasons not to use key logins
(although I do normally disable pwd login). E.g. if I have a key, I
then have evidence somewhere (USB/HD), whereas a secure password can
be kept only in my head (until they waterboard me). Especially in
countries (e.g. the UK) that can force you to hand over encryption
keys. I'd rather have an insecure Tor node than get arrested
(although tbh with fail2ban installed I don't think pwd bruteforcing
is a threat).</div><div bgcolor="#FFFFFF" text="#000000"><br>
<br>
<br>
<br>
<div>On 18/11/14 17:46, Jeroen Massar wrote:<br>
</div>
<blockquote type="cite">
<pre>On 2014-11-18 18:38, Kevin de Bie wrote:
</pre>
<blockquote type="cite">
<pre>
Fail2Ban works really well. Shifting to a non standard port only stops
the scriptkids from having too much automated options and does not do
anything for actual security. For this reason I personally never
bothered with that. Non standard username and password auth with
fail2ban makes brute forcing practically impossible, this is usually how
I have things configured.
</pre>
</blockquote>
<pre>
Just changing it to key-based authentication stops ALL password-guessing
attacks.
You will then be left with the logs though.
Hence lets make a little list for clarity in order of "should at least do":
- Use SSH Authentication
- Disable Password Authentication
- Use Fail2ban
- Restrict on IP address (no need for fail2ban then)
Greets,
Jeroen
_______________________________________________
tor-relays mailing list
<a href="mailto:tor-relays@lists.torproject.org" target="_blank">tor-relays@lists.torproject.org</a>
<a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays" target="_blank">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a>
</pre>
</blockquote>
<br>
</div><div bgcolor="#FFFFFF" text="#000000"><div>-- <br>
<div>Dan Rogers</div>
<div>+44 7539 552349<br>
<a>skype: dan.j.rogers</a></div>
<div><a href="https://secure.techwang.com/gpg/public_key.txt" target="_blank">gpg
key</a>
</div>
<div><a href="http://www.linkedin.com/in/danrogerslondon" target="_blank">linkedin</a> | <a href="http://twitter.com/danjrog" target="_blank">twitter</a> |
<a href="http://open.spotify.com/user/bonkbonkonk" target="_blank">spotify</a> | <a href="http://holdingitwrong.com" target="_blank">music</a></div>
</div>
</div>
______________________________<u></u>_________________<br>
tor-relays mailing list<br>
<a href="mailto:tor-relays@lists.torproject.org" target="_blank">tor-relays@lists.torproject.<u></u>org</a><br>
<a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays" target="_blank">https://lists.torproject.org/<u></u>cgi-bin/mailman/listinfo/tor-<u></u>relays</a><br>
</blockquote></div>