From owner-freebsd-questions@FreeBSD.ORG  Tue Jun 23 03:12:52 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 68AD71065674
	for <freebsd-questions@freebsd.org>;
	Tue, 23 Jun 2009 03:12:52 +0000 (UTC) (envelope-from earl@eeg3.net)
Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.31])
	by mx1.freebsd.org (Postfix) with ESMTP id 2D68D8FC16
	for <freebsd-questions@freebsd.org>;
	Tue, 23 Jun 2009 03:12:52 +0000 (UTC) (envelope-from earl@eeg3.net)
Received: by yw-out-2324.google.com with SMTP id 9so1639267ywe.13
	for <freebsd-questions@freebsd.org>;
	Mon, 22 Jun 2009 20:12:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.124.11 with SMTP id w11mr9204744anc.165.1245724795563; 
	Mon, 22 Jun 2009 19:39:55 -0700 (PDT)
In-Reply-To: <b6c05a470906221816l4001b92cu82270632440ee8a@mail.gmail.com>
References: <b6c05a470906221816l4001b92cu82270632440ee8a@mail.gmail.com>
Date: Mon, 22 Jun 2009 22:39:55 -0400
Message-ID: <ff44cb250906221939s1f264ee3j338b8eea918a7791@mail.gmail.com>
From: "Earl E. Gay III" <earl@eeg3.net>
To: Daniel Underwood <djuatdelta@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: freebsd-questions@freebsd.org
Subject: Re: Best practices for securing SSH server
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2009 03:12:52 -0000

On Mon, Jun 22, 2009 at 9:16 PM, Daniel Underwood <djuatdelta@gmail.com>wrote:

> On a BSD box at work (at an extremely fast connection and static IP),
> I run an SSH server.  I am the only person who uses the server, but I
> use it from some locations that are behind a dynamic IP (so I can't
> set pf rules to filter by IP).  I will always, however, use the same
> laptop to connect to the server.  Due to the speed and location of the
> connection, it's a relatively high-risk target.
>
> What are some good practices for securing this SSH server.  Is using a
> stored key safer than a password in this instance? I have no
> experience with port-knocking, but I'd appreciate some tips or
> suggested beginning references... I welcome any and all advice.
>
> Note: I do require X11 forwarding (not sure whether that's relevant
> information)
>
> TIA,
> Daniel
>

Even though your IP is dynamic, I'd imagine you could still set pf rules to
only allow SSH from certain IP ranges, which is better than nothing.