On Thu, Jan 12, 2012 at 10:31 AM, Tilman Schmidt t.schmidt@phoenixsoftware.de wrote:
I'm not convinced that would actually improve security. What that does is replace the risk of intrusion via an sshd exploit by the risk of intrusion via an OpenVPN exploit.
Yes, but only to someone with inside information. You can't really hide an ssh server from a port scan, but openvpn on UDP will not respond to packets that aren't signed with the right key. You can't tell it from a firewall that drops packets at that address/port. And, if you do get the openvpn connection you only get network access - you still have to find a host on the other side and break into its ssh before you can do anything.
But it also adds a layer of complexity, and complexity is the enemy of security. So the risk of an exploitable hole in OpenVPN would have to be provably so much lower than in SSH that the difference outweighs the increase of risk through added complexity. I don't know of any data to support that claim.
Since you have to (a) find the connection, and (b) still break ssh, it seems logically more secure. Or are you thinking of the probably of a flaw in openvpn giving you arbitrary command access? I suppose you can't rule that out, but it is not as complicated as ssh so probably less to go wrong.
Wide open sshd ports on the Internet are dangerous.
That's a very bold statement. I guess its truth depends on your definition of "wide open". In fact I'd maintain that an open ssh port is less dangerous than most other open ports. (http, smtp, imap, to name a few)
You are pretty much guaranteed to get hacking attempts both by password guessing and vulnerability probes on all of those ports/services.