 
            -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Am 10.01.2012 19:05, schrieb Johnny Hughes:
Limit access to the sshd port from only authorized places ... and the authorized places can be an openvpn type connection if you always need access from difference IPs. If you have a laptop, put an openvpn client on it and take it with you if you need access from dynamic places. Connect the openvpn to the endpoint someplace and then use that to connect to the sshd on the server via the vpn.
I'm not convinced that would actually improve security. What that does is replace the risk of intrusion via an sshd exploit by the risk of intrusion via an OpenVPN exploit. But it also adds a layer of complexity, and complexity is the enemy of security. So the risk of an exploitable hole in OpenVPN would have to be provably so much lower than in SSH that the difference outweighs the increase of risk through added complexity. I don't know of any data to support that claim.
Wide open sshd ports on the Internet are dangerous.
That's a very bold statement. I guess its truth depends on your definition of "wide open". In fact I'd maintain that an open ssh port is less dangerous than most other open ports. (http, smtp, imap, to name a few)
Jm2c, T.
- -- Tilman Schmidt Phoenix Software GmbH Bonn, Germany