One of the reasons I'd love to see a MirageOS port (or, rather,
reimplementation) of little-t tor is, it wouldn't *need* any
administrative access. It'd be a black box that speaks the cell
protocol.
___
tor-relays mailing list
tor-relays@lists.torproject.
On 2014-11-18 18:46, Jeroen Massar wrote:
> Hence lets make a little list for clarity in order of "should at least do":
>
> - Use SSH Authentication
> - Disable Password Authentication
> - Use Fail2ban
> - Restrict on IP address (no need for fail2ban then)
Additionally - with ssh over hidden ser
On 18.11.2014 18:40, Dan Thill wrote:
> In my equally limited experience, my piddly middle relay went from about
> 100 SSH related fail2bans/day to zero when I changed the port. I fully
> recognize changing the port is mere obfuscation (I use public key
> anyways), but I just got tired of seeing t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 11/18/2014 01:10 PM, Dan Rogers wrote:
> if I have a key, I then have evidence somewhere (USB/HD), whereas
> a secure password can be kept only in my head (until they
> waterboard me).
Why not just encrypt your home directory? It's very easy in m
On 11/18/2014 08:10 PM, Philipp Winter wrote:
> On Tue, Nov 18, 2014 at 09:43:53AM -0800, Andy Isaacson wrote:
>> On Tue, Nov 18, 2014 at 10:09:37AM -0500, Libertas wrote:
>>> * SSH being served on a non-standard port - something other than port
>>> 22. This is a good idea, as many brute-force atta
On Tue, 18 Nov 2014 10:09:37 +, Libertas wrote:
> -BEGIN PGP SIGNED MESSAGE-
...
> https://gist.githubusercontent.com/plsql/27e80e6dab421f8cba6c/raw/8bb0c7aa9d22b8c959834e9db8c80b6511bdf093/gistfile1.txt
Ouch. You might run that in a few days and post the diff. :-)
Andreas
--
"Total
On Tue, 18 Nov 2014 18:10:02 +, Dan Rogers wrote:
>
>
> IMO there could occasionally be reasons not to use key logins (although
> I do normally disable pwd login). E.g. if I have a key, I then have
> evidence somewhere (USB/HD),
"Oh, that ssh key? That is for accessing my home server on DS
Great work Libertas! Glad to see my relay didn't come up with any results :)
Colin
On November 18, 2014 10:09:37 AM EST, Libertas wrote:
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA256
>
>Hi, everyone. Linked below is a list of relays that were live last
>night
>along with the SSH authenticati
On Tue, Nov 18, 2014 at 10:09:37AM -0500, Libertas wrote:
> Hi, everyone. Linked below is a list of relays that were live last night
> along with the SSH authentication methods they support:
[snip]
> Generally, it is far more secure to allow only public key auth.
Nobody has mentioned using single
On Tue, Nov 18, 2014 at 09:43:53AM -0800, Andy Isaacson wrote:
> On Tue, Nov 18, 2014 at 10:09:37AM -0500, Libertas wrote:
> > * SSH being served on a non-standard port - something other than port
> > 22. This is a good idea, as many brute-force attackers will only
> > bother trying port 22.
>
> I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Password brute-forcing is still a threat with fail2ban because your
username and password can be compromised without your knowledge more
easily than a private key. It's discussed in this talk, which I linked
earlier:
http://www.bsdcan.org/2013/sched
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Tor nodes, particularly Tor exit nodes, are high risk targets.
Also, the key is accessed from your ~/.ssh directory automatically, so
it's actually easier than password auth. Just give the SSH command and
you're in!
On 11/18/2014 01:41 PM, Kevin de
You could also just want on the spot access to your box without needing
some key. I personally believe a proper un/pw combination used in
conjunction with fail2ban is sufficiently secure for pretty much anything
that is not a high risk target.
Op 19:10 di 18 nov. 2014 schreef Dan Rogers :
>
>
> I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Here's an interesting and relevant talk on SSH security:
http://www.bsdcan.org/2013/schedule/events/403.en.html
On 11/18/2014 12:38 PM, Kevin de Bie wrote:
>
> Fail2Ban works really well. Shifting to a non standard port only
> stops the scriptkids
On 11/18/2014 11:18 AM, Dan Rogers wrote:
>
> Not that hard;
>
> - pay in bitcoins
After mixing them through several independent wallets, of course ;)
The hardest part is finding hosting that allows exits for anonymous
accounts :(
> - only login to node using Tor / Tails
>
>
>
>
> On 18/11
On Tue, 18 Nov 2014 09:40:13 -0800, Ryan Getz wrote:
As, Libertas said, pub key auth is generally best... or even for some,
disabling SSH altogether may be possible. If your relay is a VPS and you
have access to a (java) console or some form of IPMI/drac/iLo
management, you may not even need ss
Not that hard;
- pay in bitcoins
- only login to node using Tor / Tails
On 18/11/14 18:16, Niklas Kielblock wrote:
This only applies if you're able to rid your hardware of all evidence
of ever connecting to your node, and have no record of ownership of
that node whatsoever. I find that a f
This only applies if you're able to rid your hardware of all evidence of
ever connecting to your node, and have no record of ownership of that
node whatsoever. I find that a fairly unlikely scenario, to be honest.
On 18/11/14 19:10, Dan Rogers wrote:
>
>
> IMO there could occasionally be reason
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
> I'd recommend fail2ban or equivalent instead.
Right, thanks. I planned on mentioning SSH-protecting daemons, but
forgot. I've had better luck with SSHGuard, but fail2ban is the most
common option.
On 11/18/2014 11:45 AM, Zack Weinberg wrote:
> On
IMO there could occasionally be reasons not to use key logins (although
I do normally disable pwd login). E.g. if I have a key, I then have
evidence somewhere (USB/HD), whereas a secure password can be kept only
in my head (until they waterboard me). Especially in countries (e.g. the
UK) tha
On Tue, Nov 18, 2014, at 10:45 AM, Zack Weinberg wrote:
> On Tue, Nov 18, 2014 at 11:15 AM, Toralf Förster
> wrote:
> > On 11/18/2014 04:28 PM, Jeroen Massar wrote:
> >> People should realize though that it is not 'safer' in any way running
> >> SSH on another port.
> >
> > But it is (slightly)
On Tue, Nov 18, 2014, at 11:45 AM, Zack Weinberg wrote:
> On Tue, Nov 18, 2014 at 11:15 AM, Toralf Förster
> wrote:
> > On 11/18/2014 04:28 PM, Jeroen Massar wrote:
> >> People should realize though that it is not 'safer' in any way running
> >> SSH on another port.
> >
> > But it is (slightly) m
On 2014-11-18 18:38, Kevin de Bie wrote:
>
> Fail2Ban works really well. Shifting to a non standard port only stops
> the scriptkids from having too much automated options and does not do
> anything for actual security. For this reason I personally never
> bothered with that. Non standard username
On Tue, Nov 18, 2014 at 10:09:37AM -0500, Libertas wrote:
> Hi, everyone. Linked below is a list of relays that were live last night
> along with the SSH authentication methods they support:
[snip]
> Generally, it is far more secure to allow only public key auth.
This is great advice, and thanks f
Fail2Ban works really well. Shifting to a non standard port only stops the
scriptkids from having too much automated options and does not do anything
for actual security. For this reason I personally never bothered with that.
Non standard username and password auth with fail2ban makes brute forcing
This is all just too much risk and admin on my production server on Linode.
Abacustard relay is down until I can move my production server,
downgrade the current linode and relegate it to backup functionality and
Tor exit node.
Cheers for now,
JB
On 18/11/2014 18:45, Zack Weinberg wrote:
O
On 11/18/2014 05:45 PM, Zack Weinberg wrote:
> On Tue, Nov 18, 2014 at 11:15 AM, Toralf Förster
> wrote:
>> On 11/18/2014 04:28 PM, Jeroen Massar wrote:
>>> People should realize though that it is not 'safer' in any way running
>>> SSH on another port.
>>
>> But it is (slightly) more expensive -
On Tue, Nov 18, 2014 at 11:15 AM, Toralf Förster wrote:
> On 11/18/2014 04:28 PM, Jeroen Massar wrote:
>> People should realize though that it is not 'safer' in any way running
>> SSH on another port.
>
> But it is (slightly) more expensive - which counts, or ?
In my limited experience, moving SS
On 11/18/2014 04:28 PM, Jeroen Massar wrote:
> People should realize though that it is not 'safer' in any way running
> SSH on another port.
But it is (slightly) more expensive - which counts, or ?
--
Toralf
pgp key: 0076 E94E
___
tor-relays mailing
On 2014-11-18 16:09, Libertas wrote:
[..]
> https://github.com/plsql/ssh-auth-methods
>
> The purpose of this is to alert relay operators that are still
> allowing password authentication. 2,051 relays offered password auth,
> and many more likely offer similarly insecure methods or were missed
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi, everyone. Linked below is a list of relays that were live last night
along with the SSH authentication methods they support:
https://gist.githubusercontent.com/plsql/27e80e6dab421f8cba6c/raw/8bb0c7aa9d22b8c959834e9db8c80b6511bdf093/gistfile1.txt
On Tue, 28 Oct 2014 04:46:37 +
Yawning Angel wrote:
> You could either "Wait for Tor Browser 4.5-alpha" which I am told will
> happen "Soon", or run a tor instance and edit the torrc to use your
> bridge. The same obfs4proxy binary also acts as the client.
Just to quickly follow up on this,
32 matches
Mail list logo
