From owner-freebsd-questions@FreeBSD.ORG Sat Mar 20 17:07:43 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 34490106564A for ; Sat, 20 Mar 2010 17:07:43 +0000 (UTC) (envelope-from ltsampros@gmail.com) Received: from mail-bw0-f216.google.com (mail-bw0-f216.google.com [209.85.218.216]) by mx1.freebsd.org (Postfix) with ESMTP id A1EDA8FC1C for ; Sat, 20 Mar 2010 17:07:42 +0000 (UTC) Received: by bwz8 with SMTP id 8so3846109bwz.3 for ; Sat, 20 Mar 2010 10:07:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:from:to:cc:subject :references:date:in-reply-to:message-id:user-agent:mime-version :content-type; bh=csxOod28s0GtL18LkYpc/vSTKIyKxO51uS62K8VcuF8=; b=DcCymsZ0GeqLQ3A/FkOsFHb3Km+L0xDNKfBso7hliFhWBGSN6TaQETu6yn35jG6Xil kXVDJSMfw8KO9sgjzgus7nU7X1ynCX3ezozml9WahOBCsz054h4RETv4GHmIJno0JoyK aTyJ8/Fvtgg4lY3G91xWmW1vCUs8d89VO7MSo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-type; b=lH0+DDt3BZMOkTdHvSzYkDw5HW3LSAggSaiKTFq0FYsJQSrUj4SIhzdiUVEs/PVebf pWOsdW/mvsrcdu20BFdBjBAWsy4SJREiqwwZ6KMOL/DhL87RIobbSfj4W6sRzsdhVxmn S/jLGINl0avQCSt/ZvKtXSvYyhyXiE2M200CI= Received: by 10.204.131.85 with SMTP id w21mr2139261bks.174.1269104861522; Sat, 20 Mar 2010 10:07:41 -0700 (PDT) Received: from ltsampros-laptop.bifteki.lan (ppp-94-66-87-24.home.otenet.gr [94.66.87.24]) by mx.google.com with ESMTPS id s17sm10308149bkd.16.2010.03.20.10.07.40 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sat, 20 Mar 2010 10:07:41 -0700 (PDT) Sender: Leonidas Tsampros From: Leonidas Tsampros To: Jamie Griffin References: <201003201318.o2KDIcIt001241@fix.fantomatic.co.uk> Date: Sat, 20 Mar 2010 19:07:34 +0200 In-Reply-To: <201003201318.o2KDIcIt001241@fix.fantomatic.co.uk> (Jamie Griffin's message of "Sat, 20 Mar 2010 13:18:38 +0000 (GMT)") Message-ID: <87wrx69b1l.fsf@upnet.gr> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-questions@freebsd.org Subject: Re: securing sshd X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Mar 2010 17:07:43 -0000 Jamie Griffin writes: > Hello > > I've been reading up on securing sshd after being bombarded with attempted logins. > > The steps i've taken so far to make things more secure are: > > * changed the encryption method for passwords in /etc/login.conf from md5 to blowfish and changed all the passwords to ridiculously obscure ones (at least as obscure as I could think of). > > * changed /etc/ttys secure entries to insecure to prevent root logins on the console > > (the above are not really sshd specific i know.) > > * Disabled root login by ssh in /etc/ssh/sshd_config > > * Set myself as the only user able to login by ssh > > * Disabled password logins completely, and to only allow public key authentication > > * Changed the default ssh port from 22 to something much higher > > I'm the only user that will ever need to log into the machine. I wondered, does this setup seem ok and are there any other methods used by anyone on list that might help me to secure remote logins even further? Hi, I'm using the following pf snippet in order to "protect" myself and my system's logs against brute force attemps on sshd: # # Block them all # block log quick from # # connection rate the incoming ssh connections and fill the bruteforce # table # pass in log inet proto tcp from any to any port = 22 \ flags S/SA keep state \ (max-src-conn 10, max-src-conn-rate 5/4, \ overload flush global) For more information on how this works, take a look at pf.conf(5). I don't know if it's complete (or even good practice), but a) I think it works for me and b) it does not depend on a port-provided solution. > Thanks for any help. > > Jamie > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"