From owner-freebsd-questions@FreeBSD.ORG Tue Jun 23 05:52:03 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E160E1065674 for ; Tue, 23 Jun 2009 05:52:03 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from mail.locolomo.org (97.pool85-48-194.static.orange.es [85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id 931B08FC1C for ; Tue, 23 Jun 2009 05:52:03 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from beta.1-16-172-dyn.locolomo.org (beta.1-16-172-dyn.locolomo.org [172.16.1.127]) by mail.locolomo.org (Postfix) with ESMTPSA id CBA4B1C1A67; Tue, 23 Jun 2009 07:52:01 +0200 (CEST) Message-ID: <4A406D81.3010803@locolomo.org> Date: Tue, 23 Jun 2009 07:52:01 +0200 From: Erik Norgaard User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302) MIME-Version: 1.0 To: Daniel Underwood References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-questions@freebsd.org Subject: Re: Best practices for securing SSH server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jun 2009 05:52:04 -0000 Daniel Underwood wrote: > On a BSD box at work (at an extremely fast connection and static IP), > I run an SSH server. I am the only person who uses the server, but I > use it from some locations that are behind a dynamic IP (so I can't > set pf rules to filter by IP). I will always, however, use the same > laptop to connect to the server. Due to the speed and location of the > connection, it's a relatively high-risk target. > > What are some good practices for securing this SSH server. Is using a > stored key safer than a password in this instance? I have no > experience with port-knocking, but I'd appreciate some tips or > suggested beginning references... I welcome any and all advice. > > Note: I do require X11 forwarding (not sure whether that's relevant information) Hi: If you're the only one using this server then you definitely should allow key authentication only, there are lots of automatic brute force attacks with password authentication, even if they only try bad passwords. Second, you should allow login only for the relevant user(s)/group(s), using AllowUsers/AllowGroups, and ofcourse disable root login. Third, even if you connect from dynamic ips, you can filter a lot of undesired connections. From the regional registries you can download address delegation files and filter out ranges assigned to countries that you'll never plan visiting, or even enable/disable countries. I created a script for generating such lists, www.locolomo.org/pub/src/toolbox/inet.pl I do not believe that tricks like running ssh on a non standard port or using port-knocking provide much extra security. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org