Quote:
Should you ever enable SSH, you will likely want to disable root access and perhaps password authentication as well.
|
Yes those to options (disabled root via ssh login, and using preshared instead of passwords) REALLY help. I also specify ONLY which user can login with AllowUsers username (sshd_config) and you can spice up your pf.conf with something like this below to limit connections and from what IP you want to allow access from and of course a NON standard port
block drop log quick from { <bruteforce>, <noroute> }
pass in log quick on { $EXT, $INT } inet proto tcp from IP.ADDR.ALLOWED.ACCESS to { $EXT } port 32009 flags S/SA modulate state (max-src-conn 10, max-src-conn-rate3/3, overload <bruteforce> flush global)