-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Password brute-forcing is still a threat with fail2ban because your username and password can be compromised without your knowledge more easily than a private key. It's discussed in this talk, which I linked earlier: http://www.bsdcan.org/2013/schedule/events/403.en.html On 11/18/2014 01:10 PM, Dan Rogers wrote:
IMO there could occasionally be reasons not to use key logins (although I do normally disable pwd login). E.g. if I have a key, I then have evidence somewhere (USB/HD), whereas a secure password can be kept only in my head (until they waterboard me). Especially in countries (e.g. the UK) that can force you to hand over encryption keys. I'd rather have an insecure Tor node than get arrested (although tbh with fail2ban installed I don't think pwd bruteforcing is a threat).
On 18/11/14 17:46, Jeroen Massar wrote:
On 2014-11-18 18:38, Kevin de Bie wrote:
Fail2Ban works really well. Shifting to a non standard port only stops the scriptkids from having too much automated options and does not do anything for actual security. For this reason I personally never bothered with that. Non standard username and password auth with fail2ban makes brute forcing practically impossible, this is usually how I have things configured. Just changing it to key-based authentication stops ALL password-guessing attacks.
You will then be left with the logs though.
Hence lets make a little list for clarity in order of "should at least do":
- Use SSH Authentication - Disable Password Authentication - Use Fail2ban - Restrict on IP address (no need for fail2ban then)
Greets, Jeroen
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Dan Rogers +44 7539 552349 skype: dan.j.rogers gpg key <https://secure.techwang.com/gpg/public_key.txt> linkedin <http://www.linkedin.com/in/danrogerslondon> | twitter <http://twitter.com/danjrog> | spotify <http://open.spotify.com/user/bonkbonkonk> | music <http://holdingitwrong.com>
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUa5VOAAoJELxHvGCsI27NvhIP/0kdxT73mPKYFzQLctqFfl7L k3nYWDbTJ2vSY6KC1HGt0RLuyKzOXFSWiKRRC0JGlbWZQXOxzi5HBd1pnOtCixe4 E2FfjzMkHmRrhhuy6/MyijUaQzKfBr6CCXMgxojMIIWJ0tpQAwABJ4IyBM8bPyXF Bhck3HndiMOSP9K5KteSvRmpgXodkU6lZiAKsRBj4JgQCtQVP3eB9s0LUx14TFAY 8/dkAO2gxCb2UMiklcHChSRFYVXUdwUdJYa8HFcl6E7yG8VPWDIlhYvQHPlhlBr/ blM6mZj3E4vxe2UsPkKTneXUPDytWxgjmyFFJjfFJvWF25EFdoMhYc3Bsh/c5Fva vC3ubRChtNYpa+t8nea7ENzDzS3C4N1vK3KhE9x09Ovy5TPthslEJnCkfGcbep++ KuzUswrgcsxyRsD78/ln4ysmKNIkt0vTSK/dfNL2/UYva8xww2vAIVRKE5AaivNx wf1f08hh6GAcN7e+/dkfOpQJjoXFARL4efbt7t5xUeROvkq4LXpu+HMxdC5RilRA 2KKBEaSZOH+r0k1YKhep0mrZ2GgrheLks2Jok2+B39T2eNsngYVd2g2TL2DhtDIO 3y1y2UNszjV04c7VnSZ/6Ys7G/+SxGADypjSW+t4sKDfI8fx7usIOpe89pUZnFm7 d0sweNIx3Egl3r9VGRLL =rjAl -----END PGP SIGNATURE-----