From owner-freebsd-questions@FreeBSD.ORG Tue Jun 23 02:24:39 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 48A80106564A for ; Tue, 23 Jun 2009 02:24:39 +0000 (UTC) (envelope-from tj@tjvarghese.com) Received: from mail-qy0-f173.google.com (mail-qy0-f173.google.com [209.85.221.173]) by mx1.freebsd.org (Postfix) with ESMTP id 0D8CD8FC13 for ; Tue, 23 Jun 2009 02:24:38 +0000 (UTC) (envelope-from tj@tjvarghese.com) Received: by qyk3 with SMTP id 3so4328243qyk.3 for ; Mon, 22 Jun 2009 19:24:38 -0700 (PDT) MIME-Version: 1.0 Received: by 10.229.85.4 with SMTP id m4mr1222533qcl.55.1245722023800; Mon, 22 Jun 2009 18:53:43 -0700 (PDT) In-Reply-To: <4A403324.6090300@b1c1l1.com> References: <4A403324.6090300@b1c1l1.com> Date: Tue, 23 Jun 2009 09:53:43 +0800 Message-ID: From: TJ Varghese To: Benjamin Lee Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-questions@freebsd.org Subject: Re: Best practices for securing SSH server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jun 2009 02:24:39 -0000 On Tue, Jun 23, 2009 at 9:43 AM, Benjamin Lee wrote: > On 06/22/2009 06:16 PM, Daniel Underwood wrote: >> On a BSD box at work (at an extremely fast connection and static IP), >> I run an SSH server. =A0I am the only person who uses the server, but I >> use it from some locations that are behind a dynamic IP (so I can't >> set pf rules to filter by IP). =A0I will always, however, use the same >> laptop to connect to the server. =A0Due to the speed and location of the >> connection, it's a relatively high-risk target. >> >> What are some good practices for securing this SSH server. =A0Is using a >> stored key safer than a password in this instance? I have no >> experience with port-knocking, but I'd appreciate some tips or >> suggested beginning references... I welcome any and all advice. >> >> Note: I do require X11 forwarding (not sure whether that's relevant info= rmation) > > I have password authentication disabled on my public SSH server. =A0You > can accomplish this by setting: > > ChallengeResponseAuthentication no > > in /etc/ssh/sshd_config. =A0See sshd_config(5) for more information. > > This allows you to enforce the use of stronger authentication methods > (e.g. public key). =A0Keep in mind, however, that this setup will only be > secure if you keep your alternate credentials (e.g. private key) secure > as well. > > If for some reason you would prefer to use password authentication, I > would recommend that you look into automatic brute force detection. > There are a number of utilities in ports available for this purpose, > including security/sshguard and security/denyhosts. I'd recommend changing the listening port to something other than 22. This reduces brute-forcing attempts by script-kiddie tools. Public key authentication should be mandatory, in addition to having a passphrase to your private key. Make sure your laptop is secure. Stay on top of the security lists for openssh vulnerabilities.