From owner-freebsd-questions@FreeBSD.ORG  Tue Jun 23 06:46:51 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C8FE41065674
	for <freebsd-questions@freebsd.org>;
	Tue, 23 Jun 2009 06:46:51 +0000 (UTC)
	(envelope-from wojtek@wojtek.tensor.gdynia.pl)
Received: from wojtek.tensor.gdynia.pl (wojtek.tensor.gdynia.pl
	[IPv6:2001:4070:101:2::2])
	by mx1.freebsd.org (Postfix) with ESMTP id CBDDE8FC12
	for <freebsd-questions@freebsd.org>;
	Tue, 23 Jun 2009 06:46:49 +0000 (UTC)
	(envelope-from wojtek@wojtek.tensor.gdynia.pl)
Received: from wojtek.tensor.gdynia.pl (localhost [IPv6:::1])
	by wojtek.tensor.gdynia.pl (8.14.3/8.14.3) with ESMTP id n5N6ixlm054900;
	Tue, 23 Jun 2009 08:45:00 +0200 (CEST)
	(envelope-from wojtek@wojtek.tensor.gdynia.pl)
Received: from localhost (wojtek@localhost)
	by wojtek.tensor.gdynia.pl (8.14.3/8.14.3/Submit) with ESMTP id
	n5N6ivn8054897; Tue, 23 Jun 2009 08:44:58 +0200 (CEST)
	(envelope-from wojtek@wojtek.tensor.gdynia.pl)
Date: Tue, 23 Jun 2009 08:44:56 +0200 (CEST)
From: Wojciech Puchar <wojtek@wojtek.tensor.gdynia.pl>
To: Benjamin Lee <ben@b1c1l1.com>
In-Reply-To: <4A403324.6090300@b1c1l1.com>
Message-ID: <alpine.BSF.2.00.0906230839170.54856@wojtek.tensor.gdynia.pl>
References: <b6c05a470906221816l4001b92cu82270632440ee8a@mail.gmail.com>
	<4A403324.6090300@b1c1l1.com>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: Daniel Underwood <djuatdelta@gmail.com>, freebsd-questions@freebsd.org
Subject: Re: Best practices for securing SSH server
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2009 06:46:52 -0000

> If for some reason you would prefer to use password authentication, I
> would recommend that you look into automatic brute force detection.
> There are a number of utilities in ports available for this purpose,
> including security/sshguard and security/denyhosts.

good, but not really important with properly chosen password.
You can't do more than maybe 10 attempts/second this way, while cracking 
10 character password consisting of just small letters and digits needs

36^10=3656158440062976 possible passwords, and over 11 milion years to 
check all possibilities, so say 100000 years if someone is really lucky 
and will get it after checking 1% possible password.

Of course - you must not look at logs in 100000 years and not see this 10 
attempts per second.



I give this example against common paranoia that exist on that group - mix 
of real "security paranoid" persons and pseudo-experts that like to repeat 
"intelligent" phrases to show up themselves.

Actually - there is no need for extra protection for ssh, but for humans.

99% of crack attempts are done by "kevin mitnick" methods, not password 
cracking.