From owner-freebsd-questions@FreeBSD.ORG Tue Jun 23 13:53:32 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E44031065672 for ; Tue, 23 Jun 2009 13:53:32 +0000 (UTC) (envelope-from djuatdelta@gmail.com) Received: from mail-ew0-f212.google.com (mail-ew0-f212.google.com [209.85.219.212]) by mx1.freebsd.org (Postfix) with ESMTP id 734BB8FC18 for ; Tue, 23 Jun 2009 13:53:32 +0000 (UTC) (envelope-from djuatdelta@gmail.com) Received: by ewy8 with SMTP id 8so112704ewy.43 for ; Tue, 23 Jun 2009 06:53:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=/SUnp/BaKvRDNyF+WnCxTRI8p2O9JYK2Sa9uzdaeBJc=; b=aYnId20j+5t74THWDa+QXgXEREk/kZeS7QTADBHLfMO2Wj+NlYEFeprpcJe24pHZ1j Tl0YSQCnq9f4HNX6rl7Aiz8/8bllQOviQzNf/5ZJc1Evdlj8KTy+jtpvnVjdPjbXlZVi AXTQomC4JDoWvrc9DR+6KEuVqhPt/SgmudygE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=vbcz3tRXWihuhI5UaJ3AKsf/wQHHx8uTAr/UkCfun0Un/+dY7wNR0nNmnR6inWPygW ZFIplZ3yU3k1OX9kMIdw7ioSIfta9Eg6Z1vkFmKHQEBdHJJ7nUq7vKQOdZ2IiyR18VRA 8d68LldbEX6mvmHpTMBBEL0ZOoMzdllswLn/A= MIME-Version: 1.0 Received: by 10.216.30.19 with SMTP id j19mr42579wea.46.1245765210423; Tue, 23 Jun 2009 06:53:30 -0700 (PDT) In-Reply-To: <4A406D81.3010803@locolomo.org> References: <4A406D81.3010803@locolomo.org> Date: Tue, 23 Jun 2009 09:53:30 -0400 Message-ID: From: Daniel Underwood To: Erik Norgaard Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Best practices for securing SSH server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jun 2009 13:53:33 -0000 > I do not believe that tricks like running ssh on a > non standard port or using port-knocking provide > much extra security. I can understand that varying the port is not a very strong defensive measure, but I don't understand your point about port-knocking. If you configure a complex and seemingly random sequence of knocks before allowing an IP access to your ssh port, have you not significantly strengthened your ssh server?