Great work Libertas! Glad to see my relay didn't come up with any results :)
Colin
On November 18, 2014 10:09:37 AM EST, Libertas libertas@mykolab.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Hi, everyone. Linked below is a list of relays that were live last night along with the SSH authentication methods they support:
https://gist.githubusercontent.com/plsql/27e80e6dab421f8cba6c/raw/8bb0c7aa9d...
If no auth methods are listed, the SSH connection to the relay failed (more on that below).
I used this script to generate it:
https://github.com/plsql/ssh-auth-methods
The purpose of this is to alert relay operators that are still allowing password authentication. 2,051 relays offered password auth, and many more likely offer similarly insecure methods or were missed for reasons discussed below.
Generally, it is far more secure to allow only public key auth. The Ubuntu help pages have a good guide on setting up key-based auth:
https://help.ubuntu.com/community/SSH/OpenSSH/Keys
Be sure to disable password authentication after you get key-based auth working!
https://help.ubuntu.com/community/SSH/OpenSSH/Configuring#disable-password-a...
To test whether password auth is still supported, use my script (the README is pretty thorough) or try SSHing from a machine that doesn't have access to your private key. In the latter case, you should get the response 'Permission denied (publickey).' immediately.
If you're having issues, make sure that you've restarted sshd since the last time you changed the config.
Be sure to back up the node's secret key or your SSH private key, but only somewhere safe! For example, store it in a password manager database on Tarsnap or a USB.
This script doesn't attempt any kind of authentication or unauthorized access, so it's about as benign as network scanning scripts come. Regardless, let me know if you have any concerns.
It made successful SSH connections with 2839 / 6551 relays. Reasons for failure include:
- SSH being served on a non-standard port - something other than port
- This is a good idea, as many brute-force attackers will only
bother trying port 22. The script I wrote could have used an alternate port number supplied from nmap, but this would run much slower and would potentially get my VPS blocked before it could even get the SSH information.
- The server only allowing SSH connections from certain IP addresses.
This is also commonly recommended, although it can be a little rigid if you don't have a VPN with a static IP (what if your server goes down while you're away from home?).
- The server going down between when I downloaded the consensus and
when I ran the script.
- My VPS's IP address getting added to a shared blacklist that the
server uses.
- etc.
If I gave any poor advice or got anything wrong, please let me know.
Libertas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIcBAEBCAAGBQJUa2ExAAoJELxHvGCsI27Np8IP/2duANtd55hs5L9IskFD2REe 9x5TR+uwZ54GhYLiFc+qiX3JnfoxfurZW7vi++D4R3E9L7nGo5weEZd0b88yJ6kx fUT9QG8gq2RFYdG+RQgYoEI9mLNObK/uc6J9qV3Y7dLOE/may6t6BDWpQTh7g5BJ 8fOnhrqjs0JdfTldc6xzrHT+m1dKBpylWus/WwGaJBReKOx6v7FoMEY53qowK0iA Vb5QS4idYb5WWF+K3Uzqk56v6sUzds/LTTlVc/R6mxjdse4AiMXO3DZsEffhI95W 8xSuw45e/Cfv/j80njsm4O1gFnrqyv/KcGwmL7vNPmtH4+i6dijTbBRroVElm1o3 LQBgCdUmQLz7njeprKnw8xdKT9X3oht4p9VZDfqWogXGiqRRdEtQCVUVhJp+ZrPA KrJBtV/IbYxyndhzC5cMAcTQUff0SOvDtzFnC4cxUbxSemtuO1NMwnIZtv3aGmG5 NEfXS3RjaUlZeZPZuymBDL1CnFqki6+eBDvka8ZOhL1/BgmDqcgT7nRWhlC5MtCG wBAfuJWB8BZl2PHg66VUN9X05TeHbVmrlyuRXaZO6SZof0Wp5vPjzJ1mKD6AyTlt Y/7liLapWgCVSYldohvbLB016iO/aHyGf3oTvZqUyG3NyD267aRQCDQ+sZZq7Cdz +eQO5eJLW/gFNXEptaJz =alRk -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays