Date: Mon, 22 Jun 2009 18:43:00 -0700 From: Benjamin Lee <ben@b1c1l1.com> To: Daniel Underwood <djuatdelta@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Best practices for securing SSH server Message-ID: <4A403324.6090300@b1c1l1.com> In-Reply-To: <b6c05a470906221816l4001b92cu82270632440ee8a@mail.gmail.com> References: <b6c05a470906221816l4001b92cu82270632440ee8a@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig506211166F7C0CDC9A5F72D3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 06/22/2009 06:16 PM, Daniel Underwood wrote: > On a BSD box at work (at an extremely fast connection and static IP), > I run an SSH server. I am the only person who uses the server, but I > use it from some locations that are behind a dynamic IP (so I can't > set pf rules to filter by IP). I will always, however, use the same > laptop to connect to the server. Due to the speed and location of the > connection, it's a relatively high-risk target. >=20 > What are some good practices for securing this SSH server. Is using a > stored key safer than a password in this instance? I have no > experience with port-knocking, but I'd appreciate some tips or > suggested beginning references... I welcome any and all advice. >=20 > Note: I do require X11 forwarding (not sure whether that's relevant inf= ormation) I have password authentication disabled on my public SSH server. You can accomplish this by setting: ChallengeResponseAuthentication no in /etc/ssh/sshd_config. See sshd_config(5) for more information. This allows you to enforce the use of stronger authentication methods (e.g. public key). Keep in mind, however, that this setup will only be secure if you keep your alternate credentials (e.g. private key) secure as well. If for some reason you would prefer to use password authentication, I would recommend that you look into automatic brute force detection. There are a number of utilities in ports available for this purpose, including security/sshguard and security/denyhosts. --=20 Benjamin Lee http://www.b1c1l1.com/ --------------enig506211166F7C0CDC9A5F72D3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJKQDMtAAoJEN/n9makEYThkv0P/3dsTATalGDBm6Jlumf1aSJQ J1mfDxOW6/mHa8PEMLXulcSr8u9S3qc8M8TO3fslhDyB436E3mIIJ24l814rhV7J TilmqAazOFpfuWTDfMZigMwQyXFHsZEhspe5jfOrKGDkQyI5j52U7aiVHU9jW2/B sL8GMjRvW8CnMc7Vw4Ae5tq1zDUDdKHrEDsBM5DIDyMS9kDl3MhUYoZyt4lJQGnK wHcCRCjjDV+6fSVxs6LIq+IXiZs2t5Lub3h5UqXhiVQkds1luBXbGES97TEm1CNO Pl+z8wL9ssaJcQ8+FK+FQbX7xKt9I4OUk7xA0GbtfC52Klek250ROzpmbBK/L7y9 dASpO5wJ/K3YRYyqrAVeoXpLPyDH9MmQA77FJ/RNCOOO5dU/wfXR2sWsSfaf9HDb 85tG+ZLOpJNKObyEAFWCIxoYaXZhrO5kqFDvuvpSivzMQ4QrFR1sNmWlE+3jGVxa 8O7MGGamZAv/tIM4M0CHp1mePimWW4a27Rt7YiY/CCe7Gc1oMz7heLZY0whdR/ZT 1RY+1lTIqYy70QDJ2Bp/zw6gStOJQimIWVn6DsWRmemOBU0m5LPG4WDHG+FZD6TD aACNLkt8JLqd15epHA3WMfMNAEy8WhX03kxbKOVYF/ZgPRX/oG7JcKl6AspGwOvN EL6enyFPbS9zdBnbWVsJ =6RxN -----END PGP SIGNATURE----- --------------enig506211166F7C0CDC9A5F72D3--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A403324.6090300>