[tor-relays] List of Relays' Available SSH Auth Methods

Andy Isaacson adi at hexapodia.org
Tue Nov 18 17:43:53 UTC 2014


On Tue, Nov 18, 2014 at 10:09:37AM -0500, Libertas wrote:
> Hi, everyone. Linked below is a list of relays that were live last night
> along with the SSH authentication methods they support:
[snip]
> Generally, it is far more secure to allow only public key auth.

This is great advice, and thanks for doing this scan!  But I have one
question about another piece of advice:

> * SSH being served on a non-standard port - something other than port
> 22. This is a good idea, as many brute-force attackers will only
> bother trying port 22.

I don't understand why, for a system that has gotten any security review
at all, moving ssh to another port is "a good idea".

If your ssh config is secure against password brute forcing, then it
simply doesn't matter that botnets are crashing against the gate, and
"change your port" or "run fail2ban" seem pointless.  The only
difference is the amount of logspew that is generated.

If your ssh config is insecure (PasswordAuthentication Yes and you have
a bruteforceable password) then moving to another port, or running
fail2ban, does not help the situation much against any determined
attacker; the real attackers have millions of compromised hosts to
bruteforce from (or entire ASes to spoof from), and if your config is
sufficiently insecure that root/b4mb1 is going to work, you're not
likely to install fail2ban *either*.

So for my systems, I set passwords to be [a-zA-Z0-9]{10} from urandom,
and I generally (but not always) turn off PasswordAuthentication, and I
keep sshd up-to-date, but I don't change from port 22 nor do I ever run
fail2ban.

-andy


More information about the tor-relays mailing list