From owner-freebsd-questions@FreeBSD.ORG Tue Jun 23 02:21:49 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 09DC71065674 for ; Tue, 23 Jun 2009 02:21:49 +0000 (UTC) (envelope-from levymoti@gmail.com) Received: from mail-ew0-f212.google.com (mail-ew0-f212.google.com [209.85.219.212]) by mx1.freebsd.org (Postfix) with ESMTP id 829E38FC20 for ; Tue, 23 Jun 2009 02:21:48 +0000 (UTC) (envelope-from levymoti@gmail.com) Received: by ewy8 with SMTP id 8so4276125ewy.43 for ; Mon, 22 Jun 2009 19:21:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=pGPNxQQnT3Rj9jh99RW2pI+bS2P4qhsgznqZSbpk2IE=; b=Sjwchjw5HnkXKx5RKNjMaRB2cgwiTf2gNRYtnQ6WVFNqG4wvHnXo//MoO2z6sqFuON VIEyUMtxO/TlOM5101rzQ+GRKlIDyM44tltdPaVaMzciqC1XG2a78LHa4mSpMJgHwnJY gq4+87ldWe5yo+OaCw096vnlukwjuqeW6HPSI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Q6A9VF1zTTFoHbVax1ZTGfdFknjZA/YHRo+UyIWnFB+ybf61856OYDYs1E0sHxDu48 +K8r6XxV/B/rniEA0Z61ytrhGQflbWSz4yxf18iYzoAs7H1+qxzZBb6aPab1p4etjRUC pC+ARcT9w6wYIFmAe1K55id6cYExBBN2HP2Lk= MIME-Version: 1.0 Received: by 10.216.73.193 with SMTP id v43mr2433839wed.157.1245722211912; Mon, 22 Jun 2009 18:56:51 -0700 (PDT) In-Reply-To: <4A403324.6090300@b1c1l1.com> References: <4A403324.6090300@b1c1l1.com> Date: Mon, 22 Jun 2009 21:56:51 -0400 Message-ID: <104311c40906221856u4beeb234jcc3a9ad5d9ddffc5@mail.gmail.com> From: Moti To: Benjamin Lee Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Daniel Underwood , freebsd-questions@freebsd.org Subject: Re: Best practices for securing SSH server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jun 2009 02:21:49 -0000 On Mon, Jun 22, 2009 at 9:43 PM, Benjamin Lee wrote: > On 06/22/2009 06:16 PM, Daniel Underwood wrote: > > On a BSD box at work (at an extremely fast connection and static IP), > > I run an SSH server. I am the only person who uses the server, but I > > use it from some locations that are behind a dynamic IP (so I can't > > set pf rules to filter by IP). I will always, however, use the same > > laptop to connect to the server. Due to the speed and location of the > > connection, it's a relatively high-risk target. > > > > What are some good practices for securing this SSH server. Is using a > > stored key safer than a password in this instance? I have no > > experience with port-knocking, but I'd appreciate some tips or > > suggested beginning references... I welcome any and all advice. > > > > Note: I do require X11 forwarding (not sure whether that's relevant > information) > > I have password authentication disabled on my public SSH server. You > can accomplish this by setting: > > ChallengeResponseAuthentication no > > in /etc/ssh/sshd_config. See sshd_config(5) for more information. > > This allows you to enforce the use of stronger authentication methods > (e.g. public key). Keep in mind, however, that this setup will only be > secure if you keep your alternate credentials (e.g. private key) secure > as well. > > If for some reason you would prefer to use password authentication, I > would recommend that you look into automatic brute force detection. > There are a number of utilities in ports available for this purpose, > including security/sshguard and security/denyhosts. > > > -- > Benjamin Lee > http://www.b1c1l1.com/ > > prevent brute force scans : option a ( my favorite ) - change ssh port number option b ( works just as well, but with more junk in your logs ) - install brute force blocker ( its in the ports .. ) create explicit login group : add AllowGroups groupname to your sshd config add the group to your groups file and make sure you / anyone with access is member of that group. force ssh version 2 only - just for kicks :)