From owner-freebsd-questions@FreeBSD.ORG Wed Nov 5 21:38:10 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BFE30545 for ; Wed, 5 Nov 2014 21:38:10 +0000 (UTC) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8EE0BB6D for ; Wed, 5 Nov 2014 21:38:10 +0000 (UTC) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id A636D20868 for ; Wed, 5 Nov 2014 16:38:09 -0500 (EST) Received: from web3 ([10.202.2.213]) by compute4.internal (MEProxy); Wed, 05 Nov 2014 16:38:09 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:x-sasl-enc:from:to :mime-version:content-transfer-encoding:content-type:in-reply-to :references:subject:date; s=smtpout; bh=oaUyyIzIA30/YYmbXjTCtz3B bT0=; b=Klgbq/7NsSm7hff///xzXu/b42e3BZLYlXvRsrgCfnwszk4KesK6C90Q 7troIiTw0Kd4slrEGxLYDebcWbd96YVqU/FIy06gYIDODbsO0Cl8pVd+gjKMSzlG PIllRrN7UW7ttT9iKABiIqiQlKHKT1hnKmAnPDYa3HuYL3snUwg= Received: by web3.nyi.internal (Postfix, from userid 99) id 87DB5113CC7; Wed, 5 Nov 2014 16:38:09 -0500 (EST) Message-Id: <1415223489.3437313.187555705.23CA966F@webmail.messagingengine.com> X-Sasl-Enc: RRwnq8CuYizvy5CcX67bnzDGo4aBAUlqPi3LkZYm/o3o 1415223489 From: Mark Felder To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-c51dec4f In-Reply-To: <545A80AB.3050509@gmail.com> References: <20141102154444.GA42429@ymer.thorshammare.org> <1415133076.3101293.187068781.08AE26B5@webmail.messagingengine.com> <545A80AB.3050509@gmail.com> Subject: Re: sshguard pf Date: Wed, 05 Nov 2014 15:38:09 -0600 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Nov 2014 21:38:10 -0000 On Wed, Nov 5, 2014, at 13:55, jd1008 wrote: > I read the web page you cite. > However, this is for the client side. > What about the server side? How does this > affect attacks against the server? > No, this is for the *server*. When someone tries to ssh to the server without a valid ssh key they will get two prompts: a passcode, and their password. As a result, brute forcing the always-changing passcode *and* the password is going to be nearly impossible; they have no idea if they get the password correct as long as they don't get the passcode correct at the same time. Note, this doesn't stop the bots from trying, but it prevents them from ever being successful. You could enable root SSH and set your password to "password"[1] and they still wouldn't compromise your server because they don't know how to authenticate through this mechanism and guessing the ever-changing passcode would be highly unlikely. [1] Don't actually do this, though.