-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Tor nodes, particularly Tor exit nodes, are high risk targets. Also, the key is accessed from your ~/.ssh directory automatically, so it's actually easier than password auth. Just give the SSH command and you're in! On 11/18/2014 01:41 PM, Kevin de Bie wrote:
You could also just want on the spot access to your box without needing some key. I personally believe a proper un/pw combination used in conjunction with fail2ban is sufficiently secure for pretty much anything that is not a high risk target.
Op 19:10 di 18 nov. 2014 schreef Dan Rogers <dan@holdingitwrong.com <mailto:dan@holdingitwrong.com>>:
IMO there could occasionally be reasons not to use key logins (although I do normally disable pwd login). E.g. if I have a key, I then have evidence somewhere (USB/HD), whereas a secure password can be kept only in my head (until they waterboard me). Especially in countries (e.g. the UK) that can force you to hand over encryption keys. I'd rather have an insecure Tor node than get arrested (although tbh with fail2ban installed I don't think pwd bruteforcing is a threat).
On 18/11/14 17:46, Jeroen Massar wrote:
On 2014-11-18 18:38, Kevin de Bie wrote:
Fail2Ban works really well. Shifting to a non standard port only stops the scriptkids from having too much automated options and does not do anything for actual security. For this reason I personally never bothered with that. Non standard username and password auth with fail2ban makes brute forcing practically impossible, this is usually how I have things configured. Just changing it to key-based authentication stops ALL password-guessing attacks.
You will then be left with the logs though.
Hence lets make a little list for clarity in order of "should at least do":
- Use SSH Authentication - Disable Password Authentication - Use Fail2ban - Restrict on IP address (no need for fail2ban then)
Greets, Jeroen
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org <mailto:tor-relays@lists.torproject.org> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Dan Rogers +44 7539 552349 skype: dan.j.rogers gpg key <https://secure.techwang.com/gpg/public_key.txt> linkedin <http://www.linkedin.com/in/danrogerslondon> | twitter <http://twitter.com/danjrog> | spotify <http://open.spotify.com/user/bonkbonkonk> | music <http://holdingitwrong.com> _________________________________________________ tor-relays mailing list tor-relays@lists.torproject.__org <mailto:tor-relays@lists.torproject.org> https://lists.torproject.org/__cgi-bin/mailman/listinfo/tor-__relays
<https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUa5OnAAoJELxHvGCsI27N404P/A3IdIuKxPfwi7rGCZPVJEby yqqqZLsp3u9ilyaDDf/h03nNeM0Qo0aBEkzIBzeOa0JC7ot4JJ3oBdy5YrukX+xI iyX9Z723WvBac6AYd2NkYQHuRoqJLIG6ji6LPN91xpDVT0lwV05cOtsBbuKwZ/kg 1haIoenyn+WqJHSwyW7d1GITyrRUM+s/I/D1u18IX3ZFsgSVnASHKcdUQx/UpOnv Hmb/GASmo6ceAGScm7dlxzfFsoOPdkm6YUS01Gh9NaxIpRQb6/vhYX7wkdxu71Zz kZt2X5xNb3XhtT3/zB02sNCB1wIskcwAj6fZNxhgN3ml2/skkVhxn4bp0OQXTIGo R95iOD970/65QeaM1JY+wRQcCGuRLwdUPB09TrIeq7QSeP+g5kiXu8KUclrpB5yj 0wKnukC/3r5qUW+QFBuVUcBDIREqTdrqBNkB2wl8e9SPw45Rld/shjCYGrPBrzTw kuujuez0AuCfUFjHsp1rZ8qTTBlEqzZIMwFX0aSVeutTOeTh2Rvbvqxg1oDKRunr yrxGyjb+4kPsC44thj0pOMKAqCetLi1Pxqw0N0oEC1FTICpm86Tu/S3ESC3LsiHd RvZ0U99GYWWIBIAiMpJLumz501oq0AkvWLfpSGDpC3J93zzZsXVtQpOSJlHWKXxL SV/P5+BWY45pm5LXtup+ =qyxb -----END PGP SIGNATURE-----