Best practices for securing SSH server

Jeff Laine wtf.jlaine at
Tue Jun 23 06:18:53 UTC 2009

On Mon,06/22/09 [21:16:35], Daniel Underwood wrote:
> On a BSD box at work (at an extremely fast connection and static IP),
> I run an SSH server.  I am the only person who uses the server, but I
> use it from some locations that are behind a dynamic IP (so I can't
> set pf rules to filter by IP).  I will always, however, use the same
> laptop to connect to the server.  Due to the speed and location of the
> connection, it's a relatively high-risk target.
> What are some good practices for securing this SSH server.  Is using a
> stored key safer than a password in this instance? I have no
> experience with port-knocking, but I'd appreciate some tips or
> suggested beginning references... I welcome any and all advice.
> Note: I do require X11 forwarding (not sure whether that's relevant information)
> TIA,
> Daniel

To block bruteforce probes on ssh I use pf with it's great function 'max-src-conn-rate'.
man pf.conf provides some useful hints.

Best regards,

| "Nobody wants to say how this works.	|
|  Maybe nobody knows ..."		|
|  			Xorg.conf(5)	|

More information about the freebsd-questions mailing list