On Mon, Jun 22, 2009 at 9:43 PM, Benjamin Lee <b...@b1c1l1.com> wrote:
> On 06/22/2009 06:16 PM, Daniel Underwood wrote: > > On a BSD box at work (at an extremely fast connection and static IP), > > I run an SSH server. I am the only person who uses the server, but I > > use it from some locations that are behind a dynamic IP (so I can't > > set pf rules to filter by IP). I will always, however, use the same > > laptop to connect to the server. Due to the speed and location of the > > connection, it's a relatively high-risk target. > > > > What are some good practices for securing this SSH server. Is using a > > stored key safer than a password in this instance? I have no > > experience with port-knocking, but I'd appreciate some tips or > > suggested beginning references... I welcome any and all advice. > > > > Note: I do require X11 forwarding (not sure whether that's relevant > information) > > I have password authentication disabled on my public SSH server. You > can accomplish this by setting: > > ChallengeResponseAuthentication no > > in /etc/ssh/sshd_config. See sshd_config(5) for more information. > > This allows you to enforce the use of stronger authentication methods > (e.g. public key). Keep in mind, however, that this setup will only be > secure if you keep your alternate credentials (e.g. private key) secure > as well. > > If for some reason you would prefer to use password authentication, I > would recommend that you look into automatic brute force detection. > There are a number of utilities in ports available for this purpose, > including security/sshguard and security/denyhosts. > > > -- > Benjamin Lee > http://www.b1c1l1.com/ > > prevent brute force scans : option a ( my favorite ) - change ssh port number option b ( works just as well, but with more junk in your logs ) - install brute force blocker ( its in the ports .. ) create explicit login group : add AllowGroups groupname to your sshd config add the group to your groups file and make sure you / anyone with access is member of that group. force ssh version 2 only - just for kicks :) _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"