Date: Wed, 05 Nov 2014 14:50:33 -0700 From: jd1008 <jd1008@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: sshguard pf Message-ID: <545A9BA9.6040502@gmail.com> In-Reply-To: <1415223489.3437313.187555705.23CA966F@webmail.messagingengine.com> References: <20141102154444.GA42429@ymer.thorshammare.org> <1415133076.3101293.187068781.08AE26B5@webmail.messagingengine.com> <545A80AB.3050509@gmail.com> <1415223489.3437313.187555705.23CA966F@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/05/2014 02:38 PM, Mark Felder wrote: > > On Wed, Nov 5, 2014, at 13:55, jd1008 wrote: >> I read the web page you cite. >> However, this is for the client side. >> What about the server side? How does this >> affect attacks against the server? >> > No, this is for the *server*. When someone tries to ssh to the server > without a valid ssh key they will get two prompts: a passcode, and their > password. > > As a result, brute forcing the always-changing passcode *and* the > password is going to be nearly impossible; they have no idea if they get > the password correct as long as they don't get the passcode correct at > the same time. > > Note, this doesn't stop the bots from trying, but it prevents them from > ever being successful. You could enable root SSH and set your password > to "password"[1] and they still wouldn't compromise your server because > they don't know how to authenticate through this mechanism and guessing > the ever-changing passcode would be highly unlikely. > > [1] Don't actually do this, though. > Thank you Mark, I will keep doing more research on this :)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?545A9BA9.6040502>