From owner-freebsd-questions@FreeBSD.ORG Tue Jun 23 06:18:53 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 231221065672 for ; Tue, 23 Jun 2009 06:18:52 +0000 (UTC) (envelope-from wtf.jlaine@gmail.com) Received: from mail-ew0-f212.google.com (mail-ew0-f212.google.com [209.85.219.212]) by mx1.freebsd.org (Postfix) with ESMTP id 64B068FC1B for ; Tue, 23 Jun 2009 06:18:51 +0000 (UTC) (envelope-from wtf.jlaine@gmail.com) Received: by ewy8 with SMTP id 8so4363687ewy.43 for ; Mon, 22 Jun 2009 23:18:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:received:date:from:to:cc :subject:message-id:mail-followup-to:references:mime-version :content-type:content-disposition:in-reply-to:user-agent :x-operating-system; bh=gcntYgGmLZUDw8QiHg7DbBmXwkz/k/wlqcKyCMpJeI0=; b=kj/aN3YFjPZ8x1xtsyXDUv71jbmm3wHFjlOzuVpxQK/NkzHujGuFUl/v6ygsFvPCmc 2fCxQf6ubC88uGasdpaiSVm1L7OXtnVJeqFs4PcDXZjHrqQbzU1Zr7rh5rFC+HnQ8ozV IpAy+MuLo6IOwKs/eO/B2+PZg31TC/lLx43HM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-type:content-disposition:in-reply-to :user-agent:x-operating-system; b=CqcemeXbsDrEvIfdwJIdTmlPzC276BWuA7x36NGyDja+Hh6dtZdr0z7geWL8565iT7 1OES87Lei/mcB8XhkU6Dclakms2HezMe6oob28HN1pJqxHtnwapX+2gyNJn9gloymsUG EQCVO56EXgKFHo+HI9cTw2KiQb91gdokJ2yeY= Received: by 10.210.34.5 with SMTP id h5mr412240ebh.33.1245737931245; Mon, 22 Jun 2009 23:18:51 -0700 (PDT) Received: from blackmesa ([77.66.145.99]) by mx.google.com with ESMTPS id 10sm14041740ewy.12.2009.06.22.23.18.48 (version=SSLv3 cipher=RC4-MD5); Mon, 22 Jun 2009 23:18:50 -0700 (PDT) Received: by blackmesa (sSMTP sendmail emulation); Tue, 23 Jun 2009 10:18:39 +0400 Date: Tue, 23 Jun 2009 10:18:39 +0400 From: Jeff Laine To: Daniel Underwood Message-ID: <20090623061839.GA88030@free.bsd.loc> Mail-Followup-To: Jeff Laine , Daniel Underwood , freebsd-questions@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 7.2-RELEASE i386 Cc: freebsd-questions@freebsd.org Subject: Re: Best practices for securing SSH server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jun 2009 06:18:53 -0000 On Mon,06/22/09 [21:16:35], Daniel Underwood wrote: > On a BSD box at work (at an extremely fast connection and static IP), > I run an SSH server. I am the only person who uses the server, but I > use it from some locations that are behind a dynamic IP (so I can't > set pf rules to filter by IP). I will always, however, use the same > laptop to connect to the server. Due to the speed and location of the > connection, it's a relatively high-risk target. > > What are some good practices for securing this SSH server. Is using a > stored key safer than a password in this instance? I have no > experience with port-knocking, but I'd appreciate some tips or > suggested beginning references... I welcome any and all advice. > > Note: I do require X11 forwarding (not sure whether that's relevant information) > > TIA, > Daniel To block bruteforce probes on ssh I use pf with it's great function 'max-src-conn-rate'. man pf.conf provides some useful hints. -- Best regards, Jeff | "Nobody wants to say how this works. | | Maybe nobody knows ..." | | Xorg.conf(5) |