[CentOS] defense-in-depth possible for sshd?

Thu Jan 12 16:31:20 UTC 2012
Tilman Schmidt <t.schmidt at phoenixsoftware.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 10.01.2012 19:05, schrieb Johnny Hughes:
> Limit access to the sshd port from only authorized places ... and
> the authorized places can be an openvpn type connection if you
> always need access from difference IPs.  If you have a laptop, put
> an openvpn client on it and take it with you if you need access
> from dynamic places. Connect the openvpn to the endpoint someplace
> and then use  that to connect to the sshd on the server via the
> vpn.

I'm not convinced that would actually improve security.
What that does is replace the risk of intrusion via an sshd
exploit by the risk of intrusion via an OpenVPN exploit.
But it also adds a layer of complexity, and complexity is
the enemy of security. So the risk of an exploitable hole
in OpenVPN would have to be provably so much lower than in
SSH that the difference outweighs the increase of risk
through added complexity. I don't know of any data to
support that claim.

> Wide open sshd ports on the Internet are dangerous.

That's a very bold statement. I guess its truth depends on
your definition of "wide open". In fact I'd maintain that
an open ssh port is less dangerous than most other open
ports. (http, smtp, imap, to name a few)

Jm2c,
T.

- -- 
Tilman Schmidt
Phoenix Software GmbH
Bonn, Germany
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8PCtgACgkQ780oymN0g8M/2QCfX3xqxKJ+82qMDWZzby94ujEo
vZwAn2PIlgra7X9PAJT6N+ry4ebLGKDR
=XcUs
-----END PGP SIGNATURE-----