From owner-freebsd-questions@freebsd.org  Thu Oct  1 06:53:08 2015
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id E77B6A0615D
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Thu,  1 Oct 2015 06:53:07 +0000 (UTC)
 (envelope-from nino80@gmail.com)
Received: from mail-oi0-x22b.google.com (mail-oi0-x22b.google.com
 [IPv6:2607:f8b0:4003:c06::22b])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id B098A1099
 for <freebsd-questions@freebsd.org>; Thu,  1 Oct 2015 06:53:07 +0000 (UTC)
 (envelope-from nino80@gmail.com)
Received: by oibi136 with SMTP id i136so35765129oib.3
 for <freebsd-questions@freebsd.org>; Wed, 30 Sep 2015 23:53:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc:content-type;
 bh=WtOxrxhU3PUQrCs0t9k8pU9ojxLaOciIAXWjEqBQk8A=;
 b=xTPLNfPzWw7gOEjQ9EVWJEy3xJPcqHl6YqOv2rRv4VjnVCVVcWK0DFdXeCiWHfBZ6h
 5uy9WK0FHHPtHsEOUSqROJRLKeBbra0fYNPwn7LsXsU4JSkV3mCjFdWU/3uCCrQNL6d+
 HtCrm3ZUPKC7lYaPCYvAkE3V+DSiDFeUaulCQGOa9LEeERd7c6Nh7dDQfPjRKJCwggJG
 eGwTPznDriMextfdtnkXBumd2mobko1pBB5OJXP7KRSFD4m2VMDMpZesVBoo59dV2o19
 bZde0Gq/v/u2VY3uP52pfIzNXQci+cghbiU2NzDU+Oik3OhZz4qllhNN4+5zwELm/Wtd
 lb5Q==
X-Received: by 10.202.223.213 with SMTP id w204mr4792351oig.84.1443682386938; 
 Wed, 30 Sep 2015 23:53:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.76.110.102 with HTTP; Wed, 30 Sep 2015 23:52:47 -0700 (PDT)
In-Reply-To: <20151001033001.R67283@sola.nimnet.asn.au>
References: <mailman.98.1443614402.37653.freebsd-questions@freebsd.org>
 <20151001033001.R67283@sola.nimnet.asn.au>
From: Nino J <nino80@gmail.com>
Date: Thu, 1 Oct 2015 08:52:47 +0200
Message-ID: <CALf6cgY0TYxugyMWd7ugpL5YgjKYiX+k35+P1+zwbDMJw9T2Jw@mail.gmail.com>
Subject: Re: SSHguard & IPFW
To: Ian Smith <smithi@nimnet.asn.au>
Cc: User Questions <freebsd-questions@freebsd.org>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.20
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Oct 2015 06:53:08 -0000

On Wed, Sep 30, 2015 at 7:58 PM, Ian Smith <smithi@nimnet.asn.au> wrote:

>
> I'm more paranoid and only allow addresses in a table to access sshd's
> port, with a couple of roaming users who need to check mail to update
> their IP before login .. but this is great news for sshguard users.
>
>
It's not necessarily paranoid. It depends on your risk assessment. I'm
primarily defending against bruteforce attacks and sshguard effectively
solves that. If I were concerned about possible vulnerability in sshd that
would allow an attacker to bypass the login process or crash sshd on a
machine where ssh access is critical, restricting access to known IPs only
would be a perfectly reasonable solution.

On a side note, if I understood correctly, you're modifying IPFW rules
based on a user successfully checking mail, basically a sort of
port-knocking? Or I totally misinterpreted? :)

-- 
Nino