From owner-freebsd-questions@FreeBSD.ORG  Fri Apr 18 16:22:36 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CA3CB106566B
	for <freebsd-questions@freebsd.org>;
	Fri, 18 Apr 2008 16:22:36 +0000 (UTC)
	(envelope-from heli@mikestammer.com)
Received: from mho-02-bos.mailhop.org (mho-02-bos.mailhop.org [63.208.196.179])
	by mx1.freebsd.org (Postfix) with ESMTP id 9910A8FC21
	for <freebsd-questions@freebsd.org>;
	Fri, 18 Apr 2008 16:22:36 +0000 (UTC)
	(envelope-from heli@mikestammer.com)
Received: from c-24-10-241-170.hsd1.co.comcast.net ([24.10.241.170]
	helo=[192.168.1.110])
	by mho-02-bos.mailhop.org with esmtpsa (TLSv1:AES256-SHA:256)
	(Exim 4.68) (envelope-from <heli@mikestammer.com>)
	id 1JmtLy-000FNy-TQ; Fri, 18 Apr 2008 16:22:23 +0000
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 24.10.241.170
X-Report-Abuse-To: abuse@dyndns.com (see
	http://www.mailhop.org/outbound/abuse.html for abuse reporting
	information)
X-MHO-User: U2FsdGVkX18quCHMdh20mKm85ViFjAiZKgTSIiUT28s=
Message-ID: <4808CA8F.9020804@mikestammer.com>
Date: Fri, 18 Apr 2008 10:21:35 -0600
From: Eric Zimmerman <heli@mikestammer.com>
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0
To: Kurt Buff <kurt.buff@gmail.com>
References: <2tng04doovnmtkr7or9kfkb596fgjfoj1c@4ax.com>	<20080418191449.212f43d3.gary@pattersonsoftware.com>	<1EBA9459C137D287EEE2560D@utd65257.utdallas.edu>	<4808C54B.1090403@infracaninophile.co.uk>
	<a9f4a3860804180915v42a8070dia8008a6847bf5909@mail.gmail.com>
In-Reply-To: <a9f4a3860804180915v42a8070dia8008a6847bf5909@mail.gmail.com>
X-Enigmail-Version: 0.95.6
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Paul Schmehl <pauls@utdallas.edu>,
	Gary Newcombe <gary@pattersonsoftware.com>, freebsd-questions@freebsd.org
Subject: Re: [SSHd] Limiting access from authorized IP's
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Apr 2008 16:22:36 -0000

Kurt Buff wrote:
> On Fri, Apr 18, 2008 at 8:59 AM, Matthew Seaman
> <m.seaman@infracaninophile.co.uk> wrote:
> 
> At any rate, locking down ssh access is one of my concerns, for sure,
> so this discussion is helpful.
> 

Wouldn't turning off password based logins and using public and private 
keys (with a strong password) for ssh logins do the trick? if you limit 
yourself based on IP addresses, its inevitable that you will need access 
from an IP NOT on your exemption list at some time (like when you are on 
vacation, at relatives, etc).

Using keys to authenticate ssh sessions has worked very well for me. if 
you are concerned about the brute force attempts (which cant work 
without the private key which you put a strong password on), you can use 
something like denyhosts to block those hosts from even connecting.

hth

Eric