-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
I'm not a big fan of adding more complexity to "impove" security.
With fail2ban [1] you run the risk of, for example, someone bruteforcing your ssh from every exit node they can find, then your relay blocking those exits meaning there are certain circuits that you're stopping clients from making. Instead of fail2ban I recommend using a non-standard port for SSH defeat the majority of bruteforce attempts, this will stop pretty much all the bad ssh traffic you're seeing, most of it is botnets and they're not very smart and won't waste time, they're looking for the low-hanging fruit (I don't have to outrun the bear, just you).
rkhunter has had a few vulns [2][3] that allowed privesc (lets use predictable filenames in /tmp!) and we all know that signature based detection is terrible anyway.
clamav has a track record [4] that should make you instantly just throw it on the fire too! If you think the data might be evil *don't* try and use your home-rolled parser to try and do in-depth analysis of it automatically!
Keep it simple, have a restricted inbound port policy, if you can use a hardened kernel with grsec/pax and apparmor (or your prefered MAC) profiles to help compartment and reduce the pivot room for any potential exploit if it is successful.
Also, use key auth and deny password logins for your ssh, if possible. I'd recommend that you don't use DSA or ECDSA though, if you're on a modern openssh then ed25519 is fine otherwise use the tried-and-true RSA.
[1] - http://www.osvdb.org/search/search?search%5Bvuln_title%5D=fail2ban&searc... [2] - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1270 [3] - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4982 [4] - http://www.osvdb.org/search/search?search%5Bvuln_title%5D=clamav&search%...
Speak Freely:
Hi ZEROF,
I had fail2ban, harden (which includes tiger, tripwire, logcheck, plus MANY others), all the fancy log checkers, rkhunter and clamav, unattended-upgrades, and had all logs emailed to me on a daily basis. It was tedious to go through, but I was trying to do my due diligence.
I disabled root login, changed ssh port (security through obscurity
- damn right, but I kept it in the privileged range.)
------------------- Each password was a minimum of 32 characters, alphanumeric plus symbols. No two passwords were alike, or remotely similar. (No, I didn't use keys :@)
I checked "how secure is my password", and this is the result: It would take a desktop PC about 21 quattuordecillion years to crack your password
I had to look quattuordecillion up, as my spell checker doesn't know what it means. In the US, it means 1, followed up 45 zeros. (In the UK it is 10^84, but I believe the website is American so I'm sticking with ^45) --------------- I disabled as many services as I could reasonably tolerate. I removed world rights to as much as I could think. I did everything I could think of to make each VPS effectively useless except for running a Tor relay.
My firewall matched my Reduced Exit Policy, plus my "secret" ssh port.
---- I never thought about the honey-pot... That's a good one.
Speak Freely _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays