[tor-relays] List of Relays' Available SSH Auth Methods
Colin Mahns
colinmahns at riseup.net
Tue Nov 18 19:42:12 UTC 2014
Great work Libertas! Glad to see my relay didn't come up with any results :)
Colin
On November 18, 2014 10:09:37 AM EST, Libertas <libertas at mykolab.com> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA256
>
>Hi, everyone. Linked below is a list of relays that were live last
>night
>along with the SSH authentication methods they support:
>
>https://gist.githubusercontent.com/plsql/27e80e6dab421f8cba6c/raw/8bb0c7aa9d22b8c959834e9db8c80b6511bdf093/gistfile1.txt
>
>If no auth methods are listed, the SSH connection to the relay failed
>(more on that below).
>
>I used this script to generate it:
>
>https://github.com/plsql/ssh-auth-methods
>
>The purpose of this is to alert relay operators that are still
>allowing password authentication. 2,051 relays offered password auth,
>and many more likely offer similarly insecure methods or were missed
>for reasons discussed below.
>
>Generally, it is far more secure to allow only public key auth. The
>Ubuntu help pages have a good guide on setting up key-based auth:
>
>https://help.ubuntu.com/community/SSH/OpenSSH/Keys
>
>Be sure to disable password authentication after you get key-based
>auth working!
>
>https://help.ubuntu.com/community/SSH/OpenSSH/Configuring#disable-password-authentication
>
>To test whether password auth is still supported, use my script (the
>README is pretty thorough) or try SSHing from a machine that doesn't
>have access to your private key. In the latter case, you should get
>the response 'Permission denied (publickey).' immediately.
>
>If you're having issues, make sure that you've restarted sshd since
>the last time you changed the config.
>
>Be sure to back up the node's secret key or your SSH private key, but
>only somewhere safe! For example, store it in a password manager
>database on Tarsnap or a USB.
>
>This script doesn't attempt any kind of authentication or unauthorized
>access, so it's about as benign as network scanning scripts come.
>Regardless, let me know if you have any concerns.
>
>It made successful SSH connections with 2839 / 6551 relays. Reasons
>for failure include:
>
>* SSH being served on a non-standard port - something other than port
>22. This is a good idea, as many brute-force attackers will only
>bother trying port 22. The script I wrote could have used an alternate
>port number supplied from nmap, but this would run much slower and
>would potentially get my VPS blocked before it could even get the SSH
>information.
>
>* The server only allowing SSH connections from certain IP addresses.
>This is also commonly recommended, although it can be a little rigid
>if you don't have a VPN with a static IP (what if your server goes
>down while you're away from home?).
>
>* The server going down between when I downloaded the consensus and
>when I ran the script.
>
>* My VPS's IP address getting added to a shared blacklist that the
>server uses.
>
>* etc.
>
>If I gave any poor advice or got anything wrong, please let me know.
>
>Libertas
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1
>
>iQIcBAEBCAAGBQJUa2ExAAoJELxHvGCsI27Np8IP/2duANtd55hs5L9IskFD2REe
>9x5TR+uwZ54GhYLiFc+qiX3JnfoxfurZW7vi++D4R3E9L7nGo5weEZd0b88yJ6kx
>fUT9QG8gq2RFYdG+RQgYoEI9mLNObK/uc6J9qV3Y7dLOE/may6t6BDWpQTh7g5BJ
>8fOnhrqjs0JdfTldc6xzrHT+m1dKBpylWus/WwGaJBReKOx6v7FoMEY53qowK0iA
>Vb5QS4idYb5WWF+K3Uzqk56v6sUzds/LTTlVc/R6mxjdse4AiMXO3DZsEffhI95W
>8xSuw45e/Cfv/j80njsm4O1gFnrqyv/KcGwmL7vNPmtH4+i6dijTbBRroVElm1o3
>LQBgCdUmQLz7njeprKnw8xdKT9X3oht4p9VZDfqWogXGiqRRdEtQCVUVhJp+ZrPA
>KrJBtV/IbYxyndhzC5cMAcTQUff0SOvDtzFnC4cxUbxSemtuO1NMwnIZtv3aGmG5
>NEfXS3RjaUlZeZPZuymBDL1CnFqki6+eBDvka8ZOhL1/BgmDqcgT7nRWhlC5MtCG
>wBAfuJWB8BZl2PHg66VUN9X05TeHbVmrlyuRXaZO6SZof0Wp5vPjzJ1mKD6AyTlt
>Y/7liLapWgCVSYldohvbLB016iO/aHyGf3oTvZqUyG3NyD267aRQCDQ+sZZq7Cdz
>+eQO5eJLW/gFNXEptaJz
>=alRk
>-----END PGP SIGNATURE-----
>_______________________________________________
>tor-relays mailing list
>tor-relays at lists.torproject.org
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20141118/f99348ba/attachment.html>
More information about the tor-relays
mailing list