Best practices for securing SSH server
ben at b1c1l1.com
Tue Jun 23 01:43:16 UTC 2009
On 06/22/2009 06:16 PM, Daniel Underwood wrote:
> On a BSD box at work (at an extremely fast connection and static IP),
> I run an SSH server. I am the only person who uses the server, but I
> use it from some locations that are behind a dynamic IP (so I can't
> set pf rules to filter by IP). I will always, however, use the same
> laptop to connect to the server. Due to the speed and location of the
> connection, it's a relatively high-risk target.
> What are some good practices for securing this SSH server. Is using a
> stored key safer than a password in this instance? I have no
> experience with port-knocking, but I'd appreciate some tips or
> suggested beginning references... I welcome any and all advice.
> Note: I do require X11 forwarding (not sure whether that's relevant information)
I have password authentication disabled on my public SSH server. You
can accomplish this by setting:
in /etc/ssh/sshd_config. See sshd_config(5) for more information.
This allows you to enforce the use of stronger authentication methods
(e.g. public key). Keep in mind, however, that this setup will only be
secure if you keep your alternate credentials (e.g. private key) secure
If for some reason you would prefer to use password authentication, I
would recommend that you look into automatic brute force detection.
There are a number of utilities in ports available for this purpose,
including security/sshguard and security/denyhosts.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 899 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20090623/438c3c5d/signature.pgp
More information about the freebsd-questions