[tor-relays] doc/HARDENING Draft

[Libertas]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 11/27/2014 07:50 PM, tor at zengers.de wrote:
> And I agree about SSHGuard. I've had a better experience with it,
> and it generally seems like a more carefully developed and more
> thoroughly documented project. Strangely, though, most experienced
> sysadmins still use and suggest fail2ban. Maybe I'm just missing
> something, or maybe people don't know about SSHGuard.
> 
> I'm still wondering about the popularity of fail2ban and SSHGuard, 
> specially in regard to the ssh service. You can achieve almost the
> some behaviour with every major firewall. See for example [1] and
> [2].
> 
> And for the lazy ones, my current configs: ...

True, and thanks for the examples. I think the daemons are probably a
better move for those who aren't firewall veterans, as everyone else
would probably be copy-and-pasting firewall configs like the ones you
gave and praying that they worked. The daemons probably also have more
nuanced and flexible policies.

You also reminded me of a big factor I forgot to mention in the doc:
firewalls.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUd9MUAAoJELxHvGCsI27NlY0P/0MeYML3CCLlF3JHRDVy85CE
FjjQlUjIH3wnTGuQJE/ooubWH8KslLhSq2PjBXMgxuObshf9DEHWHy7KNYvAJ+GE
1VMjONDV6uuZILLPur1UxFlSPrB2LfzBJCqLfx/LmtQFPoH3AztJnkyqLZIkVcMs
X8IJ4Dv2kvX3q9oIXdqyiTECLSsAZ5GyhOcNPZGLdijaijWL6ajrpq74NE89cjNu
TX4d5eR2WSJm18lQ3ViOwh4DmdRA/HeqtH/M3/DsDJvOP4D5lrERrc6ghBShZdsl
dKndLPLWFTGGdV4DAbn96FBZQW9q2feRb+DBSdOXPlc8KqOFF2BMrb2a4tWv/szs
uiTqsYTDj7TkvOLIR3Y1V1uRm6WvxdU5FKNH7+qouQg8G4hLPrcxmIGOTELDZtzn
s30ffOScgM7kn3qb8hbs50peMDb3A67GXgNFnvFSf1eAaWJQdDbzYEfxzBzGvtvb
DYCeavXAKC8LsgRIcfjnuhPuTfP0PSKX0RABgPR0hkt3TGsCObMSUETHD1IqRv+1
wWjLf+52Kn9ZwPxPxUt8yngaOZr9iGAKlQJJwoacujAFCjoGR+SflEojFjBcdyVV
mZqgyDgSeAhPZyMIY5shY5VJcT7wBbUy8oLSEjdfOxrfUe4dHLPfGvPmv7U2sJQX
rVwbNoRfYr2mhgLap7dN
=UtrW
-----END PGP SIGNATURE-----