[tor-relays] List of Relays' Available SSH Auth Methods

Kevin de Bie kevindebie at gmail.com
Tue Nov 18 18:41:38 UTC 2014 

You could also just want on the spot access to your box without needing
some key. I personally believe a proper un/pw combination used in
conjunction with fail2ban is sufficiently secure for pretty much anything
that is not a high risk target.

Op 19:10 di 18 nov. 2014 schreef Dan Rogers <dan at holdingitwrong.com>:

>
>
> IMO there could occasionally be reasons not to use key logins (although I
> do normally disable pwd login). E.g. if I have a key, I then have evidence
> somewhere (USB/HD), whereas a secure password can be kept only in my head
> (until they waterboard me). Especially in countries (e.g. the UK) that can
> force you to hand over encryption keys. I'd rather have an insecure Tor
> node than get arrested (although tbh with fail2ban installed I don't think
> pwd bruteforcing is a threat).
>
>
>
>
> On 18/11/14 17:46, Jeroen Massar wrote:
>
> On 2014-11-18 18:38, Kevin de Bie wrote:
>
>
> Fail2Ban works really well. Shifting to a non standard port only stops
> the scriptkids from having too much automated options and does not do
> anything for actual security. For this reason I personally never
> bothered with that. Non standard username and password auth with
> fail2ban makes brute forcing practically impossible, this is usually how
> I have things configured.
>
>
> Just changing it to key-based authentication stops ALL password-guessing
> attacks.
>
> You will then be left with the logs though.
>
>
> Hence lets make a little list for clarity in order of "should at least do":
>
> - Use SSH Authentication
> - Disable Password Authentication
> - Use Fail2ban
> - Restrict on IP address (no need for fail2ban then)
>
> Greets,
>  Jeroen
>
> _______________________________________________
> tor-relays mailing listtor-relays at lists.torproject.orghttps://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
> --
> Dan Rogers
> +44 7539 552349
> skype: dan.j.rogers
> gpg key <https://secure.techwang.com/gpg/public_key.txt>
> linkedin <http://www.linkedin.com/in/danrogerslondon> | twitter
> <http://twitter.com/danjrog> | spotify
> <http://open.spotify.com/user/bonkbonkonk> | music
> <http://holdingitwrong.com>
>  _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20141118/77f35a60/attachment.html>

More information about the tor-relays mailing list