Great work Libertas! Glad to see my relay didn't come up with any results :)

Colin

On November 18, 2014 10:09:37 AM EST, Libertas <libertas@mykolab.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi, everyone. Linked below is a list of relays that were live last night
along with the SSH authentication methods they support:

https://gist.githubusercontent.com/plsql/27e80e6dab421f8cba6c/raw/8bb0c7aa9d22b8c959834e9db8c80b6511bdf093/gistfile1.txt

If no auth methods are listed, the SSH connection to the relay failed
(more on that below).

I used this script to generate it:

https://github.com/plsql/ssh-auth-methods

The purpose of this is to alert relay operators that are still
allowing password authentication. 2,051 relays offered password auth,
and many more likely offer similarly insecure methods or were missed
for reasons discussed below.

Generally, it is far more secure to allow only public key auth. The
Ubuntu help pages have a good guide on setting up key-based auth:

https://help.ubuntu.com/community/SSH/OpenSSH/Keys

Be sure to disable password authentication after you get key-based
auth working!

https://help.ubuntu.com/community/SSH/OpenSSH/Configuring#disable-password-authentication

To test whether password auth is still supported, use my script (the
README is pretty thorough) or try SSHing from a machine that doesn't
have access to your private key. In the latter case, you should get
the response 'Permission denied (publickey).' immediately.

If you're having issues, make sure that you've restarted sshd since
the last time you changed the config.

Be sure to back up the node's secret key or your SSH private key, but
only somewhere safe! For example, store it in a password manager
database on Tarsnap or a USB.

This script doesn't attempt any kind of authentication or unauthorized
access, so it's about as benign as network scanning scripts come.
Regardless, let me know if you have any concerns.

It made successful SSH connections with 2839 / 6551 relays. Reasons
for failure include:

* SSH being served on a non-standard port - something other than port
22. This is a good idea, as many brute-force attackers will only
bother trying port 22. The script I wrote could have used an alternate
port number supplied from nmap, but this would run much slower and
would potentially get my VPS blocked before it could even get the SSH
information.

* The server only allowing SSH connections from certain IP addresses.
This is also commonly recommended, although it can be a little rigid
if you don't have a VPN with a static IP (what if your server goes
down while you're away from home?).

* The server going down between when I downloaded the consensus and
when I ran the script.

* My VPS's IP address getting added to a shared blacklist that the
server uses.

* etc.

If I gave any poor advice or got anything wrong, please let me know.

Libertas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUa2ExAAoJELxHvGCsI27Np8IP/2duANtd55hs5L9IskFD2REe
9x5TR+uwZ54GhYLiFc+qiX3JnfoxfurZW7vi++D4R3E9L7nGo5weEZd0b88yJ6kx
fUT9QG8gq2RFYdG+RQgYoEI9mLNObK/uc6J9qV3Y7dLOE/may6t6BDWpQTh7g5BJ
8fOnhrqjs0JdfTldc6xzrHT+m1dKBpylWus/WwGaJBReKOx6v7FoMEY53qowK0iA
Vb5QS4idYb5WWF+K3Uzqk56v6sUzds/LTTlVc/R6mxjdse4AiMXO3DZsEffhI95W
8xSuw45e/Cfv/j80njsm4O1gFnrqyv/KcGwmL7vNPmtH4+i6dijTbBRroVElm1o3
LQBgCdUmQLz7njeprKnw8xdKT9X3oht4p9VZDfqWogXGiqRRdEtQCVUVhJp+ZrPA
KrJBtV/IbYxyndhzC5cMAcTQUff0SOvDtzFnC4cxUbxSemtuO1NMwnIZtv3aGmG5
NEfXS3RjaUlZeZPZuymBDL1CnFqki6+eBDvka8ZOhL1/BgmDqcgT7nRWhlC5MtCG
wBAfuJWB8BZl2PHg66VUN9X05TeHbVmrlyuRXaZO6SZof0Wp5vPjzJ1mKD6AyTlt
Y/7liLapWgCVSYldohvbLB016iO/aHyGf3oTvZqUyG3NyD267aRQCDQ+sZZq7Cdz
+eQO5eJLW/gFNXEptaJz
=alRk
-----END PGP SIGNATURE-----


tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays