[tor-relays] SSH

[George]

breaking the top-post....

> Hello
> I'm running a TOR relay, every time I SSH to my server I see a message
> that there were thousands of failed login attempts
> Do you see this message too?


This is one of those issues that you figure out your own preferred
method over time as you run public services over the internet.

First, where do you see the message? Not sure about your operating
system, but if it's dumping the failed logins to your screen on you're
on a Unix-like operating system, you should probably check your
/etc/syslog.conf.  Dumping failed ssh logins to a file like
/var/log/authlog makes more sense.

Second, make sure you're following the basics with SSHD security.
Require keys or Yubikey etc and don't rely on password security for SSH
access.

You could consider fail2ban and similar tools, but consider either your
host-based firewall or better yet, an upstream network firewall.
Rate-limiting SSH attempts, blacklisting based on bogon addresses, etc,
will bring you part of the way.

IMHO, the less third-party software you install on a Tor relay, the
better off you are.  More code means more surface area and more bugs.

The standard tenet of "there's no security with obscurity" rings true,
but we're talking about log noise here, not security. Therefore, you
might want to consider changing the TCP port SSHD is listening on. It
will likely decrease the noise level.

The great secret SSHD security hack that I feel uncomfortable mentioning
on a public list is... do SSH over IPv6 if you can.  Seems like the bots
haven't caught up to that yet.

g