Great work Libertas! Glad to see my relay didn't come up with any results :)
Colin On November 18, 2014 10:09:37 AM EST, Libertas <liber...@mykolab.com> wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA256 > >Hi, everyone. Linked below is a list of relays that were live last >night >along with the SSH authentication methods they support: > >https://gist.githubusercontent.com/plsql/27e80e6dab421f8cba6c/raw/8bb0c7aa9d22b8c959834e9db8c80b6511bdf093/gistfile1.txt > >If no auth methods are listed, the SSH connection to the relay failed >(more on that below). > >I used this script to generate it: > >https://github.com/plsql/ssh-auth-methods > >The purpose of this is to alert relay operators that are still >allowing password authentication. 2,051 relays offered password auth, >and many more likely offer similarly insecure methods or were missed >for reasons discussed below. > >Generally, it is far more secure to allow only public key auth. The >Ubuntu help pages have a good guide on setting up key-based auth: > >https://help.ubuntu.com/community/SSH/OpenSSH/Keys > >Be sure to disable password authentication after you get key-based >auth working! > >https://help.ubuntu.com/community/SSH/OpenSSH/Configuring#disable-password-authentication > >To test whether password auth is still supported, use my script (the >README is pretty thorough) or try SSHing from a machine that doesn't >have access to your private key. In the latter case, you should get >the response 'Permission denied (publickey).' immediately. > >If you're having issues, make sure that you've restarted sshd since >the last time you changed the config. > >Be sure to back up the node's secret key or your SSH private key, but >only somewhere safe! For example, store it in a password manager >database on Tarsnap or a USB. > >This script doesn't attempt any kind of authentication or unauthorized >access, so it's about as benign as network scanning scripts come. >Regardless, let me know if you have any concerns. > >It made successful SSH connections with 2839 / 6551 relays. Reasons >for failure include: > >* SSH being served on a non-standard port - something other than port >22. This is a good idea, as many brute-force attackers will only >bother trying port 22. The script I wrote could have used an alternate >port number supplied from nmap, but this would run much slower and >would potentially get my VPS blocked before it could even get the SSH >information. > >* The server only allowing SSH connections from certain IP addresses. >This is also commonly recommended, although it can be a little rigid >if you don't have a VPN with a static IP (what if your server goes >down while you're away from home?). > >* The server going down between when I downloaded the consensus and >when I ran the script. > >* My VPS's IP address getting added to a shared blacklist that the >server uses. > >* etc. > >If I gave any poor advice or got anything wrong, please let me know. > >Libertas >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1 > >iQIcBAEBCAAGBQJUa2ExAAoJELxHvGCsI27Np8IP/2duANtd55hs5L9IskFD2REe >9x5TR+uwZ54GhYLiFc+qiX3JnfoxfurZW7vi++D4R3E9L7nGo5weEZd0b88yJ6kx >fUT9QG8gq2RFYdG+RQgYoEI9mLNObK/uc6J9qV3Y7dLOE/may6t6BDWpQTh7g5BJ >8fOnhrqjs0JdfTldc6xzrHT+m1dKBpylWus/WwGaJBReKOx6v7FoMEY53qowK0iA >Vb5QS4idYb5WWF+K3Uzqk56v6sUzds/LTTlVc/R6mxjdse4AiMXO3DZsEffhI95W >8xSuw45e/Cfv/j80njsm4O1gFnrqyv/KcGwmL7vNPmtH4+i6dijTbBRroVElm1o3 >LQBgCdUmQLz7njeprKnw8xdKT9X3oht4p9VZDfqWogXGiqRRdEtQCVUVhJp+ZrPA >KrJBtV/IbYxyndhzC5cMAcTQUff0SOvDtzFnC4cxUbxSemtuO1NMwnIZtv3aGmG5 >NEfXS3RjaUlZeZPZuymBDL1CnFqki6+eBDvka8ZOhL1/BgmDqcgT7nRWhlC5MtCG >wBAfuJWB8BZl2PHg66VUN9X05TeHbVmrlyuRXaZO6SZof0Wp5vPjzJ1mKD6AyTlt >Y/7liLapWgCVSYldohvbLB016iO/aHyGf3oTvZqUyG3NyD267aRQCDQ+sZZq7Cdz >+eQO5eJLW/gFNXEptaJz >=alRk >-----END PGP SIGNATURE----- >_______________________________________________ >tor-relays mailing list >tor-relays@lists.torproject.org >https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
