From owner-freebsd-questions@FreeBSD.ORG  Sat Mar 20 17:23:44 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3647C1065670
	for <freebsd-questions@freebsd.org>;
	Sat, 20 Mar 2010 17:23:44 +0000 (UTC)
	(envelope-from jg@fantomatic.co.uk)
Received: from fix.fantomatic.co.uk (fix.fantomatic.co.uk [81.174.154.245])
	by mx1.freebsd.org (Postfix) with ESMTP id B10AA8FC1C
	for <freebsd-questions@freebsd.org>;
	Sat, 20 Mar 2010 17:23:43 +0000 (UTC)
Received: from fix.fantomatic.co.uk (localhost [127.0.0.1])
	by fix.fantomatic.co.uk (8.14.3/8.14.3) with ESMTP id o2KHNq0f001282
	for <freebsd-questions@freebsd.org>; Sat, 20 Mar 2010 17:23:52 GMT
	(envelope-from jg@fix.fantomatic.co.uk)
Received: (from jg@localhost)
	by fix.fantomatic.co.uk (8.14.3/8.14.3/Submit) id o2KHNqBd001280
	for freebsd-questions@freebsd.org; Sat, 20 Mar 2010 17:23:52 GMT
	(envelope-from jg)
Message-Id: <201003201723.o2KHNqBd001280@fix.fantomatic.co.uk>
To: freebsd-questions@freebsd.org
Date: Sat, 20 Mar 2010 17:23:51 +0000 (GMT)
In-Reply-To: <87wrx69b1l.fsf@upnet.gr>
From: Jamie Griffin <Jamie@fantomatic.co.uk>
X-Mailer: ELM [version 2.5 PL8]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: Re: securing sshd
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Mar 2010 17:23:44 -0000

I think on reflection I might have been a little over the top with blocking password logins and I think the point about carrying a key on a usb stick, etc, is a very good one. The reason I went with that decision is because I only expect to be logging in to the server from two locations:  at home or from a computer at my university, where the public key can be kept in the accounts I use at each location. Also, there are no other users loggin into it so it won't be too much of a problem doing it this way, i hope. When I saw hundreds of failed login attemps I panicked a bit i think :-) 

I really like the pf option and have just set up a similar rule actually, which i think will work well because i've also got it working with spamd to greylist inbound mail, as recommended by someone on this list the other day. 

Really appreciate all the good advice though, thanks.

   Jamie