Multi-factor authentication (Score 1)

No system is flawless, but some of the techniques mentioned above can make a system reasonably formidable to potential attackers. Paul Sery created a wonderful PAM module (pluggable authentication module), for out-of-band challenge-response, called pam_obc. Da Beave improved pam_obc and made it available on GitHub (https://github.com/beave/pam_obc). Regarding bandwidth, system resources, etc., it depends on the specific organization's priorities as to what solutions they might implement at each "layer" of the security onion. PAM modules require a negligible amount of system resources, minimal bandwidth, and the challenges can be sent over encrypted channels. I am not saying that pam_obc will make an SSH server impervious to attacks, but for some people it may be part of the solution that they are looking for. Regards