On Tue, 28 Oct 2014 04:46:37 +
Yawning Angel wrote:
> You could either "Wait for Tor Browser 4.5-alpha" which I am told will
> happen "Soon", or run a tor instance and edit the torrc to use your
> bridge. The same obfs4proxy binary also acts as the client.
Just to quickly follow up on this,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi, everyone. Linked below is a list of relays that were live last night
along with the SSH authentication methods they support:
https://gist.githubusercontent.com/plsql/27e80e6dab421f8cba6c/raw/8bb0c7aa9d22b8c959834e9db8c80b6511bdf093/gistfile1.txt
On 2014-11-18 16:09, Libertas wrote:
[..]
> https://github.com/plsql/ssh-auth-methods
>
> The purpose of this is to alert relay operators that are still
> allowing password authentication. 2,051 relays offered password auth,
> and many more likely offer similarly insecure methods or were missed
>
On 11/18/2014 04:28 PM, Jeroen Massar wrote:
> People should realize though that it is not 'safer' in any way running
> SSH on another port.
But it is (slightly) more expensive - which counts, or ?
--
Toralf
pgp key: 0076 E94E
___
tor-relays mailing
On Tue, Nov 18, 2014 at 11:15 AM, Toralf Förster wrote:
> On 11/18/2014 04:28 PM, Jeroen Massar wrote:
>> People should realize though that it is not 'safer' in any way running
>> SSH on another port.
>
> But it is (slightly) more expensive - which counts, or ?
In my limited experience, moving SS
On 11/18/2014 05:45 PM, Zack Weinberg wrote:
> On Tue, Nov 18, 2014 at 11:15 AM, Toralf Förster
> wrote:
>> On 11/18/2014 04:28 PM, Jeroen Massar wrote:
>>> People should realize though that it is not 'safer' in any way running
>>> SSH on another port.
>>
>> But it is (slightly) more expensive -
This is all just too much risk and admin on my production server on Linode.
Abacustard relay is down until I can move my production server,
downgrade the current linode and relegate it to backup functionality and
Tor exit node.
Cheers for now,
JB
On 18/11/2014 18:45, Zack Weinberg wrote:
O
Fail2Ban works really well. Shifting to a non standard port only stops the
scriptkids from having too much automated options and does not do anything
for actual security. For this reason I personally never bothered with that.
Non standard username and password auth with fail2ban makes brute forcing
On Tue, Nov 18, 2014 at 10:09:37AM -0500, Libertas wrote:
> Hi, everyone. Linked below is a list of relays that were live last night
> along with the SSH authentication methods they support:
[snip]
> Generally, it is far more secure to allow only public key auth.
This is great advice, and thanks f
On 2014-11-18 18:38, Kevin de Bie wrote:
>
> Fail2Ban works really well. Shifting to a non standard port only stops
> the scriptkids from having too much automated options and does not do
> anything for actual security. For this reason I personally never
> bothered with that. Non standard username
On Tue, Nov 18, 2014, at 11:45 AM, Zack Weinberg wrote:
> On Tue, Nov 18, 2014 at 11:15 AM, Toralf Förster
> wrote:
> > On 11/18/2014 04:28 PM, Jeroen Massar wrote:
> >> People should realize though that it is not 'safer' in any way running
> >> SSH on another port.
> >
> > But it is (slightly) m
On Tue, Nov 18, 2014, at 10:45 AM, Zack Weinberg wrote:
> On Tue, Nov 18, 2014 at 11:15 AM, Toralf Förster
> wrote:
> > On 11/18/2014 04:28 PM, Jeroen Massar wrote:
> >> People should realize though that it is not 'safer' in any way running
> >> SSH on another port.
> >
> > But it is (slightly)
IMO there could occasionally be reasons not to use key logins (although
I do normally disable pwd login). E.g. if I have a key, I then have
evidence somewhere (USB/HD), whereas a secure password can be kept only
in my head (until they waterboard me). Especially in countries (e.g. the
UK) tha
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
> I'd recommend fail2ban or equivalent instead.
Right, thanks. I planned on mentioning SSH-protecting daemons, but
forgot. I've had better luck with SSHGuard, but fail2ban is the most
common option.
On 11/18/2014 11:45 AM, Zack Weinberg wrote:
> On
This only applies if you're able to rid your hardware of all evidence of
ever connecting to your node, and have no record of ownership of that
node whatsoever. I find that a fairly unlikely scenario, to be honest.
On 18/11/14 19:10, Dan Rogers wrote:
>
>
> IMO there could occasionally be reason
Not that hard;
- pay in bitcoins
- only login to node using Tor / Tails
On 18/11/14 18:16, Niklas Kielblock wrote:
This only applies if you're able to rid your hardware of all evidence
of ever connecting to your node, and have no record of ownership of
that node whatsoever. I find that a f
On Tue, 18 Nov 2014 09:40:13 -0800, Ryan Getz wrote:
As, Libertas said, pub key auth is generally best... or even for some,
disabling SSH altogether may be possible. If your relay is a VPS and you
have access to a (java) console or some form of IPMI/drac/iLo
management, you may not even need ss
On 11/18/2014 11:18 AM, Dan Rogers wrote:
>
> Not that hard;
>
> - pay in bitcoins
After mixing them through several independent wallets, of course ;)
The hardest part is finding hosting that allows exits for anonymous
accounts :(
> - only login to node using Tor / Tails
>
>
>
>
> On 18/11
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Here's an interesting and relevant talk on SSH security:
http://www.bsdcan.org/2013/schedule/events/403.en.html
On 11/18/2014 12:38 PM, Kevin de Bie wrote:
>
> Fail2Ban works really well. Shifting to a non standard port only
> stops the scriptkids
You could also just want on the spot access to your box without needing
some key. I personally believe a proper un/pw combination used in
conjunction with fail2ban is sufficiently secure for pretty much anything
that is not a high risk target.
Op 19:10 di 18 nov. 2014 schreef Dan Rogers :
>
>
> I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Tor nodes, particularly Tor exit nodes, are high risk targets.
Also, the key is accessed from your ~/.ssh directory automatically, so
it's actually easier than password auth. Just give the SSH command and
you're in!
On 11/18/2014 01:41 PM, Kevin de
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Password brute-forcing is still a threat with fail2ban because your
username and password can be compromised without your knowledge more
easily than a private key. It's discussed in this talk, which I linked
earlier:
http://www.bsdcan.org/2013/sched
On Tue, Nov 18, 2014 at 09:43:53AM -0800, Andy Isaacson wrote:
> On Tue, Nov 18, 2014 at 10:09:37AM -0500, Libertas wrote:
> > * SSH being served on a non-standard port - something other than port
> > 22. This is a good idea, as many brute-force attackers will only
> > bother trying port 22.
>
> I
On Tue, Nov 18, 2014 at 10:09:37AM -0500, Libertas wrote:
> Hi, everyone. Linked below is a list of relays that were live last night
> along with the SSH authentication methods they support:
[snip]
> Generally, it is far more secure to allow only public key auth.
Nobody has mentioned using single
Great work Libertas! Glad to see my relay didn't come up with any results :)
Colin
On November 18, 2014 10:09:37 AM EST, Libertas wrote:
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA256
>
>Hi, everyone. Linked below is a list of relays that were live last
>night
>along with the SSH authenticati
On Tue, 18 Nov 2014 18:10:02 +, Dan Rogers wrote:
>
>
> IMO there could occasionally be reasons not to use key logins (although
> I do normally disable pwd login). E.g. if I have a key, I then have
> evidence somewhere (USB/HD),
"Oh, that ssh key? That is for accessing my home server on DS
On Tue, 18 Nov 2014 10:09:37 +, Libertas wrote:
> -BEGIN PGP SIGNED MESSAGE-
...
> https://gist.githubusercontent.com/plsql/27e80e6dab421f8cba6c/raw/8bb0c7aa9d22b8c959834e9db8c80b6511bdf093/gistfile1.txt
Ouch. You might run that in a few days and post the diff. :-)
Andreas
--
"Total
On 11/18/2014 08:10 PM, Philipp Winter wrote:
> On Tue, Nov 18, 2014 at 09:43:53AM -0800, Andy Isaacson wrote:
>> On Tue, Nov 18, 2014 at 10:09:37AM -0500, Libertas wrote:
>>> * SSH being served on a non-standard port - something other than port
>>> 22. This is a good idea, as many brute-force atta
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 11/18/2014 01:10 PM, Dan Rogers wrote:
> if I have a key, I then have evidence somewhere (USB/HD), whereas
> a secure password can be kept only in my head (until they
> waterboard me).
Why not just encrypt your home directory? It's very easy in m
On 18.11.2014 18:40, Dan Thill wrote:
> In my equally limited experience, my piddly middle relay went from about
> 100 SSH related fail2bans/day to zero when I changed the port. I fully
> recognize changing the port is mere obfuscation (I use public key
> anyways), but I just got tired of seeing t
On 2014-11-18 18:46, Jeroen Massar wrote:
> Hence lets make a little list for clarity in order of "should at least do":
>
> - Use SSH Authentication
> - Disable Password Authentication
> - Use Fail2ban
> - Restrict on IP address (no need for fail2ban then)
Additionally - with ssh over hidden ser
One of the reasons I'd love to see a MirageOS port (or, rather,
reimplementation) of little-t tor is, it wouldn't *need* any
administrative access. It'd be a black box that speaks the cell
protocol.
___
tor-relays mailing list
tor-relays@lists.torproject.
32 matches
Mail list logo
