From owner-freebsd-questions@FreeBSD.ORG  Tue Jun 23 08:59:06 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1F614106567D
	for <freebsd-questions@freebsd.org>;
	Tue, 23 Jun 2009 08:59:06 +0000 (UTC)
	(envelope-from wojtek@wojtek.tensor.gdynia.pl)
Received: from wojtek.tensor.gdynia.pl (wojtek.tensor.gdynia.pl
	[IPv6:2001:4070:101:2::2])
	by mx1.freebsd.org (Postfix) with ESMTP id 0AB0B8FC15
	for <freebsd-questions@freebsd.org>;
	Tue, 23 Jun 2009 08:59:04 +0000 (UTC)
	(envelope-from wojtek@wojtek.tensor.gdynia.pl)
Received: from wojtek.tensor.gdynia.pl (localhost [IPv6:::1])
	by wojtek.tensor.gdynia.pl (8.14.3/8.14.3) with ESMTP id n5N8vTeZ055498;
	Tue, 23 Jun 2009 10:57:30 +0200 (CEST)
	(envelope-from wojtek@wojtek.tensor.gdynia.pl)
Received: from localhost (wojtek@localhost)
	by wojtek.tensor.gdynia.pl (8.14.3/8.14.3/Submit) with ESMTP id
	n5N8vRRM055495; Tue, 23 Jun 2009 10:57:28 +0200 (CEST)
	(envelope-from wojtek@wojtek.tensor.gdynia.pl)
Date: Tue, 23 Jun 2009 10:57:26 +0200 (CEST)
From: Wojciech Puchar <wojtek@wojtek.tensor.gdynia.pl>
To: utisoft@gmail.com
In-Reply-To: <b79ecaef0906230112y7e96cd04ke983a0f6d3dac71b@mail.gmail.com>
Message-ID: <alpine.BSF.2.00.0906231052130.55469@wojtek.tensor.gdynia.pl>
References: <b6c05a470906221816l4001b92cu82270632440ee8a@mail.gmail.com>
	<4A403324.6090300@b1c1l1.com>
	<alpine.BSF.2.00.0906230839170.54856@wojtek.tensor.gdynia.pl>
	<b79ecaef0906230112y7e96cd04ke983a0f6d3dac71b@mail.gmail.com>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: Benjamin Lee <ben@b1c1l1.com>, Daniel Underwood <djuatdelta@gmail.com>,
	freebsd-questions@freebsd.org
Subject: Re: Best practices for securing SSH server
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2009 08:59:06 -0000

>>
>> 99% of crack attempts are done by "kevin mitnick" methods, not password
>> cracking.
>
> You're right about the probability of password breaking, but
> personally I installed denyhosts just because I got sick of this:

indeed, it's very useful but it's not a requirement at all to be secure :)

The only requirements for security are:

1) use proper passwords, or keyfiles but with keyfiles stored on properly 
protected machine (geli, proper password for geli too)

2) it's not really wrong to use same (but well done - random) passwords in 
many places YOU administer, but never use the same password on any 
foreign places.

3) Store that password ONLY in brain.


As herds of morons don't really understand what are passwords for, all 
points are usually not respected, point 3 being the most common :)

You want to crack into company server - just look at monitors and notes 
glued to it. If you can't - ask a charwoman working there ;)