sshguard pf
Mark Felder
feld at FreeBSD.org
Wed Nov 5 21:38:10 UTC 2014
On Wed, Nov 5, 2014, at 13:55, jd1008 wrote:
> I read the web page you cite.
> However, this is for the client side.
> What about the server side? How does this
> affect attacks against the server?
>
No, this is for the *server*. When someone tries to ssh to the server
without a valid ssh key they will get two prompts: a passcode, and their
password.
As a result, brute forcing the always-changing passcode *and* the
password is going to be nearly impossible; they have no idea if they get
the password correct as long as they don't get the passcode correct at
the same time.
Note, this doesn't stop the bots from trying, but it prevents them from
ever being successful. You could enable root SSH and set your password
to "password"[1] and they still wouldn't compromise your server because
they don't know how to authenticate through this mechanism and guessing
the ever-changing passcode would be highly unlikely.
[1] Don't actually do this, though.
More information about the freebsd-questions
mailing list