-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Tor nodes, particularly Tor exit nodes, are high risk targets.
Also, the key is accessed from your ~/.ssh directory automatically, so it's actually easier than password auth. Just give the SSH command and you're in! On 11/18/2014 01:41 PM, Kevin de Bie wrote: > You could also just want on the spot access to your box without > needing some key. I personally believe a proper un/pw combination > used in conjunction with fail2ban is sufficiently secure for pretty > much anything that is not a high risk target. > > > Op 19:10 di 18 nov. 2014 schreef Dan Rogers > <d...@holdingitwrong.com <mailto:d...@holdingitwrong.com>>: > > > > IMO there could occasionally be reasons not to use key logins > (although I do normally disable pwd login). E.g. if I have a key, > I then have evidence somewhere (USB/HD), whereas a secure password > can be kept only in my head (until they waterboard me). Especially > in countries (e.g. the UK) that can force you to hand over > encryption keys. I'd rather have an insecure Tor node than get > arrested (although tbh with fail2ban installed I don't think pwd > bruteforcing is a threat). > > > > > On 18/11/14 17:46, Jeroen Massar wrote: >> On 2014-11-18 18:38, Kevin de Bie wrote: >>> Fail2Ban works really well. Shifting to a non standard port >>> only stops the scriptkids from having too much automated >>> options and does not do anything for actual security. For this >>> reason I personally never bothered with that. Non standard >>> username and password auth with fail2ban makes brute forcing >>> practically impossible, this is usually how I have things >>> configured. >> Just changing it to key-based authentication stops ALL >> password-guessing attacks. >> >> You will then be left with the logs though. >> >> >> Hence lets make a little list for clarity in order of "should at >> least do": >> >> - Use SSH Authentication - Disable Password Authentication - Use >> Fail2ban - Restrict on IP address (no need for fail2ban then) >> >> Greets, Jeroen >> >> _______________________________________________ tor-relays >> mailing list tor-relays@lists.torproject.org >> <mailto:tor-relays@lists.torproject.org> >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > > -- Dan Rogers +44 7539 552349 skype: dan.j.rogers gpg key > <https://secure.techwang.com/gpg/public_key.txt> linkedin > <http://www.linkedin.com/in/danrogerslondon> | twitter > <http://twitter.com/danjrog> | spotify > <http://open.spotify.com/user/bonkbonkonk> | music > <http://holdingitwrong.com> > _________________________________________________ tor-relays > mailing list tor-relays@lists.torproject.__org > <mailto:tor-relays@lists.torproject.org> > https://lists.torproject.org/__cgi-bin/mailman/listinfo/tor-__relays > > <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays> > > > > _______________________________________________ tor-relays mailing > list tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUa5OnAAoJELxHvGCsI27N404P/A3IdIuKxPfwi7rGCZPVJEby yqqqZLsp3u9ilyaDDf/h03nNeM0Qo0aBEkzIBzeOa0JC7ot4JJ3oBdy5YrukX+xI iyX9Z723WvBac6AYd2NkYQHuRoqJLIG6ji6LPN91xpDVT0lwV05cOtsBbuKwZ/kg 1haIoenyn+WqJHSwyW7d1GITyrRUM+s/I/D1u18IX3ZFsgSVnASHKcdUQx/UpOnv Hmb/GASmo6ceAGScm7dlxzfFsoOPdkm6YUS01Gh9NaxIpRQb6/vhYX7wkdxu71Zz kZt2X5xNb3XhtT3/zB02sNCB1wIskcwAj6fZNxhgN3ml2/skkVhxn4bp0OQXTIGo R95iOD970/65QeaM1JY+wRQcCGuRLwdUPB09TrIeq7QSeP+g5kiXu8KUclrpB5yj 0wKnukC/3r5qUW+QFBuVUcBDIREqTdrqBNkB2wl8e9SPw45Rld/shjCYGrPBrzTw kuujuez0AuCfUFjHsp1rZ8qTTBlEqzZIMwFX0aSVeutTOeTh2Rvbvqxg1oDKRunr yrxGyjb+4kPsC44thj0pOMKAqCetLi1Pxqw0N0oEC1FTICpm86Tu/S3ESC3LsiHd RvZ0U99GYWWIBIAiMpJLumz501oq0AkvWLfpSGDpC3J93zzZsXVtQpOSJlHWKXxL SV/P5+BWY45pm5LXtup+ =qyxb -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
