From owner-freebsd-questions@FreeBSD.ORG  Tue Jun 23 01:16:37 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6AFA81065673
	for <freebsd-questions@freebsd.org>;
	Tue, 23 Jun 2009 01:16:37 +0000 (UTC)
	(envelope-from djuatdelta@gmail.com)
Received: from mail-fx0-f217.google.com (mail-fx0-f217.google.com
	[209.85.220.217])
	by mx1.freebsd.org (Postfix) with ESMTP id F1FE58FC12
	for <freebsd-questions@freebsd.org>;
	Tue, 23 Jun 2009 01:16:36 +0000 (UTC)
	(envelope-from djuatdelta@gmail.com)
Received: by fxm17 with SMTP id 17so1061188fxm.43
	for <freebsd-questions@freebsd.org>;
	Mon, 22 Jun 2009 18:16:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:received:date:message-id:subject
	:from:to:content-type:content-transfer-encoding;
	bh=MWfTjy7ps4+lbf2EoTnaTOyLeTnNFKV1W6ZOL+CT4Us=;
	b=RizSqYRYrbKw8Sq4xqPS2bXmzkrcwzDUR7wK3PPSqFimlrQfEr/qJvBvV/SlVCh+fi
	YtQzxQxKIJ854LW9hDhrr3U1DlrRNdzPM8GiIXLlXKo2+Z12KrXtUagI7K1f3Vy5bbK5
	0g2x0tHhGiAPxe2PRQHgBnnjo/IBYyJl2NdN0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:date:message-id:subject:from:to:content-type
	:content-transfer-encoding;
	b=DT9yE3CStPmumkDTXAOVbHUJkts95iqmL7M3oOsBlMtRIvdrT6Qrch+UEkSAe1l0K3
	IotaIt8djTjo0vS7h0KtFnAxIsLmAadZl5/McTdUAhMIP9RDOrqq7Lvo2yeWfQktykAQ
	W8yrxk8e7EzX+lv5Hb2Wpvu+Qa18fmysMzZv0=
MIME-Version: 1.0
Received: by 10.216.35.204 with SMTP id u54mr2478197wea.182.1245719795864; 
	Mon, 22 Jun 2009 18:16:35 -0700 (PDT)
Date: Mon, 22 Jun 2009 21:16:35 -0400
Message-ID: <b6c05a470906221816l4001b92cu82270632440ee8a@mail.gmail.com>
From: Daniel Underwood <djuatdelta@gmail.com>
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Best practices for securing SSH server
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2009 01:16:37 -0000

On a BSD box at work (at an extremely fast connection and static IP),
I run an SSH server.  I am the only person who uses the server, but I
use it from some locations that are behind a dynamic IP (so I can't
set pf rules to filter by IP).  I will always, however, use the same
laptop to connect to the server.  Due to the speed and location of the
connection, it's a relatively high-risk target.

What are some good practices for securing this SSH server.  Is using a
stored key safer than a password in this instance? I have no
experience with port-knocking, but I'd appreciate some tips or
suggested beginning references... I welcome any and all advice.

Note: I do require X11 forwarding (not sure whether that's relevant information)

TIA,
Daniel