mostly good stuff here, I'd merely suggest you use denyhosts with ssh and keep it on standard 22 with only pubkey access enabled. Serves perfectly well and ssh brute force attempts will get blocked fairly swiftly. fail2ban can also do ssh. -Jason
On 02/26/2015 03:24 PM, Speak Freely wrote:
Hi ZEROF,
I had fail2ban, harden (which includes tiger, tripwire, logcheck, plus MANY others), all the fancy log checkers, rkhunter and clamav, unattended-upgrades, and had all logs emailed to me on a daily basis. It was tedious to go through, but I was trying to do my due diligence.
I disabled root login, changed ssh port (security through obscurity - damn right, but I kept it in the privileged range.)
Each password was a minimum of 32 characters, alphanumeric plus symbols. No two passwords were alike, or remotely similar. (No, I didn't use keys :@)
I checked "how secure is my password", and this is the result: It would take a desktop PC about 21 quattuordecillion years to crack your password
I had to look quattuordecillion up, as my spell checker doesn't know what it means. In the US, it means 1, followed up 45 zeros. (In the UK it is 10^84, but I believe the website is American so I'm sticking with ^45)
I disabled as many services as I could reasonably tolerate. I removed world rights to as much as I could think. I did everything I could think of to make each VPS effectively useless except for running a Tor relay.
My firewall matched my Reduced Exit Policy, plus my "secret" ssh port.
I never thought about the honey-pot... That's a good one.
Speak Freely _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays