-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Password brute-forcing is still a threat with fail2ban because your username and password can be compromised without your knowledge more easily than a private key. It's discussed in this talk, which I linked earlier:
http://www.bsdcan.org/2013/schedule/events/403.en.html On 11/18/2014 01:10 PM, Dan Rogers wrote: > > > IMO there could occasionally be reasons not to use key logins > (although I do normally disable pwd login). E.g. if I have a key, I > then have evidence somewhere (USB/HD), whereas a secure password > can be kept only in my head (until they waterboard me). Especially > in countries (e.g. the UK) that can force you to hand over > encryption keys. I'd rather have an insecure Tor node than get > arrested (although tbh with fail2ban installed I don't think pwd > bruteforcing is a threat). > > > > On 18/11/14 17:46, Jeroen Massar wrote: >> On 2014-11-18 18:38, Kevin de Bie wrote: >>> Fail2Ban works really well. Shifting to a non standard port >>> only stops the scriptkids from having too much automated >>> options and does not do anything for actual security. For this >>> reason I personally never bothered with that. Non standard >>> username and password auth with fail2ban makes brute forcing >>> practically impossible, this is usually how I have things >>> configured. >> Just changing it to key-based authentication stops ALL >> password-guessing attacks. >> >> You will then be left with the logs though. >> >> >> Hence lets make a little list for clarity in order of "should at >> least do": >> >> - Use SSH Authentication - Disable Password Authentication - Use >> Fail2ban - Restrict on IP address (no need for fail2ban then) >> >> Greets, Jeroen >> >> _______________________________________________ tor-relays >> mailing list tor-relays@lists.torproject.org >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > > -- Dan Rogers +44 7539 552349 skype: dan.j.rogers gpg key > <https://secure.techwang.com/gpg/public_key.txt> linkedin > <http://www.linkedin.com/in/danrogerslondon> | twitter > <http://twitter.com/danjrog> | spotify > <http://open.spotify.com/user/bonkbonkonk> | music > <http://holdingitwrong.com> > > > _______________________________________________ tor-relays mailing > list tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUa5VOAAoJELxHvGCsI27NvhIP/0kdxT73mPKYFzQLctqFfl7L k3nYWDbTJ2vSY6KC1HGt0RLuyKzOXFSWiKRRC0JGlbWZQXOxzi5HBd1pnOtCixe4 E2FfjzMkHmRrhhuy6/MyijUaQzKfBr6CCXMgxojMIIWJ0tpQAwABJ4IyBM8bPyXF Bhck3HndiMOSP9K5KteSvRmpgXodkU6lZiAKsRBj4JgQCtQVP3eB9s0LUx14TFAY 8/dkAO2gxCb2UMiklcHChSRFYVXUdwUdJYa8HFcl6E7yG8VPWDIlhYvQHPlhlBr/ blM6mZj3E4vxe2UsPkKTneXUPDytWxgjmyFFJjfFJvWF25EFdoMhYc3Bsh/c5Fva vC3ubRChtNYpa+t8nea7ENzDzS3C4N1vK3KhE9x09Ovy5TPthslEJnCkfGcbep++ KuzUswrgcsxyRsD78/ln4ysmKNIkt0vTSK/dfNL2/UYva8xww2vAIVRKE5AaivNx wf1f08hh6GAcN7e+/dkfOpQJjoXFARL4efbt7t5xUeROvkq4LXpu+HMxdC5RilRA 2KKBEaSZOH+r0k1YKhep0mrZ2GgrheLks2Jok2+B39T2eNsngYVd2g2TL2DhtDIO 3y1y2UNszjV04c7VnSZ/6Ys7G/+SxGADypjSW+t4sKDfI8fx7usIOpe89pUZnFm7 d0sweNIx3Egl3r9VGRLL =rjAl -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
