[tor-relays] List of Relays' Available SSH Auth Methods
Dan Rogers
dan at holdingitwrong.com
Tue Nov 18 18:10:02 UTC 2014
IMO there could occasionally be reasons not to use key logins (although
I do normally disable pwd login). E.g. if I have a key, I then have
evidence somewhere (USB/HD), whereas a secure password can be kept only
in my head (until they waterboard me). Especially in countries (e.g. the
UK) that can force you to hand over encryption keys. I'd rather have an
insecure Tor node than get arrested (although tbh with fail2ban
installed I don't think pwd bruteforcing is a threat).
On 18/11/14 17:46, Jeroen Massar wrote:
> On 2014-11-18 18:38, Kevin de Bie wrote:
>> Fail2Ban works really well. Shifting to a non standard port only stops
>> the scriptkids from having too much automated options and does not do
>> anything for actual security. For this reason I personally never
>> bothered with that. Non standard username and password auth with
>> fail2ban makes brute forcing practically impossible, this is usually how
>> I have things configured.
> Just changing it to key-based authentication stops ALL password-guessing
> attacks.
>
> You will then be left with the logs though.
>
>
> Hence lets make a little list for clarity in order of "should at least do":
>
> - Use SSH Authentication
> - Disable Password Authentication
> - Use Fail2ban
> - Restrict on IP address (no need for fail2ban then)
>
> Greets,
> Jeroen
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
--
Dan Rogers
+44 7539 552349
skype: dan.j.rogers
gpg key <https://secure.techwang.com/gpg/public_key.txt>
linkedin <http://www.linkedin.com/in/danrogerslondon> | twitter
<http://twitter.com/danjrog> | spotify
<http://open.spotify.com/user/bonkbonkonk> | music
<http://holdingitwrong.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20141118/4b6bb8e3/attachment.html>
More information about the tor-relays
mailing list