Date: Wed, 05 Nov 2014 15:38:09 -0600 From: Mark Felder <feld@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: sshguard pf Message-ID: <1415223489.3437313.187555705.23CA966F@webmail.messagingengine.com> In-Reply-To: <545A80AB.3050509@gmail.com> References: <20141102154444.GA42429@ymer.thorshammare.org> <1415133076.3101293.187068781.08AE26B5@webmail.messagingengine.com> <545A80AB.3050509@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Nov 5, 2014, at 13:55, jd1008 wrote: > I read the web page you cite. > However, this is for the client side. > What about the server side? How does this > affect attacks against the server? > No, this is for the *server*. When someone tries to ssh to the server without a valid ssh key they will get two prompts: a passcode, and their password. As a result, brute forcing the always-changing passcode *and* the password is going to be nearly impossible; they have no idea if they get the password correct as long as they don't get the passcode correct at the same time. Note, this doesn't stop the bots from trying, but it prevents them from ever being successful. You could enable root SSH and set your password to "password"[1] and they still wouldn't compromise your server because they don't know how to authenticate through this mechanism and guessing the ever-changing passcode would be highly unlikely. [1] Don't actually do this, though.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1415223489.3437313.187555705.23CA966F>