On Tue, Nov 18, 2014 at 10:09:37AM -0500, Libertas wrote:
Hi, everyone. Linked below is a list of relays that were live last night along with the SSH authentication methods they support:
[snip]
Generally, it is far more secure to allow only public key auth.
Nobody has mentioned using single packet authentication via fwknopd. I get the warm fuzzies when one must pass this this challenge before a sensitive port is opened for your sourcing ip and for only X number of seconds before it's closed. Spa has more to offer than simple port knocking and there are plenty of client options available. Is there a reason more relay operators aren't using it?
It also seems that fail2ban is more favored than csf although the features of additional login notifications and some password brute force protection are similar. Are there reasons that a person would favor one over the other? I'd like to mention that it seems the brute force protection doesn't offer a lot of protection if the attack is distributed and only 1 attempt is ever seen from a given ip. Still better than nothing and all simply an additional layer with single packet authentication enabled.