From owner-freebsd-questions@FreeBSD.ORG Wed Nov 5 21:50:36 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EFA337C9 for ; Wed, 5 Nov 2014 21:50:36 +0000 (UTC) Received: from mail-ie0-x233.google.com (mail-ie0-x233.google.com [IPv6:2607:f8b0:4001:c03::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B15B2C6C for ; Wed, 5 Nov 2014 21:50:36 +0000 (UTC) Received: by mail-ie0-f179.google.com with SMTP id rl12so1687036iec.38 for ; Wed, 05 Nov 2014 13:50:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=vSTFCy2yb6ksSTyTPhmJ6dt6M6GwMyR+iGh37Uzs+6k=; b=ovwIL79fdNc70kRE5JLN16YPpzXy+tkTWKM6qaZbVw0Z9Uap83+8LJCAronULtSGqw b9Yj+avdHX0Ssy5sNvY+T+X3Df4wipW02cQg22P40WwxK8qTqWcH4PLx7sF+Bfx5ZnL/ k2tJCo8up78fp5tgDVYT8tMHARBQGt1w2tkozCDrsq6eyRagm6qvNjisVCGajrO9leRu ena12quc9wFkycJ78B8PtPEKOSkh2YV6I52OpMOYnvuiRqoY0fRQ2GXeGfD6aF3/qzeE ggGAYtGDVWmHj7N0jNTGKd4KONOwP0OvBVTz3acqfC/P/SyvOwPfZaAmIIecz5p3EWaq ZPNA== X-Received: by 10.107.156.131 with SMTP id f125mr99943ioe.15.1415224236074; Wed, 05 Nov 2014 13:50:36 -0800 (PST) Received: from localhost.localdomain (63-225-227-131.slkc.qwest.net. [63.225.227.131]) by mx.google.com with ESMTPSA id fy5sm214448igd.3.2014.11.05.13.50.34 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 05 Nov 2014 13:50:35 -0800 (PST) Message-ID: <545A9BA9.6040502@gmail.com> Date: Wed, 05 Nov 2014 14:50:33 -0700 From: jd1008 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: sshguard pf References: <20141102154444.GA42429@ymer.thorshammare.org> <1415133076.3101293.187068781.08AE26B5@webmail.messagingengine.com> <545A80AB.3050509@gmail.com> <1415223489.3437313.187555705.23CA966F@webmail.messagingengine.com> In-Reply-To: <1415223489.3437313.187555705.23CA966F@webmail.messagingengine.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Nov 2014 21:50:37 -0000 On 11/05/2014 02:38 PM, Mark Felder wrote: > > On Wed, Nov 5, 2014, at 13:55, jd1008 wrote: >> I read the web page you cite. >> However, this is for the client side. >> What about the server side? How does this >> affect attacks against the server? >> > No, this is for the *server*. When someone tries to ssh to the server > without a valid ssh key they will get two prompts: a passcode, and their > password. > > As a result, brute forcing the always-changing passcode *and* the > password is going to be nearly impossible; they have no idea if they get > the password correct as long as they don't get the passcode correct at > the same time. > > Note, this doesn't stop the bots from trying, but it prevents them from > ever being successful. You could enable root SSH and set your password > to "password"[1] and they still wouldn't compromise your server because > they don't know how to authenticate through this mechanism and guessing > the ever-changing passcode would be highly unlikely. > > [1] Don't actually do this, though. > Thank you Mark, I will keep doing more research on this :)