Kai Schaetzl wrote:
Robert Spangler wrote on Wed, 26 Mar 2008 08:03:48 -0400:
If you are going to use VPN then why not setup your remote site to use VPN and bypass SSH altogether then?
There could be several reasons, for instance:
- SSH is all what is necessary
- it's probably easier to have *one* VPN and then be able to ssh to
dozens of other machines instead of setting up VPN on all of them and running several VPN tunnels at once
Use VPN to connect to your network and then ssh through the VPN tunnel to any machines you need to work with. This way only the VPN is exposed to the Internet.
Bottom line is if you want to be secure don't use passwords for login.
Still doesn't stop those brute-force attacks. It just makes them fail. That's the point about moving port etc., not the security.
Agreed. I have one machine on my network that exposes an ssh connection on a non-standard port. My logs for the last month do not show a single failed connection attempt.
Bowie Bailey wrote on Wed, 26 Mar 2008 09:18:56 -0500:
Use VPN to connect to your network and then ssh through the VPN tunnel to any machines you need to work with. This way only the VPN is exposed to the Internet.
if the machines are within the LAN, yes. My original point was that if you have a static IP address for your local LAN *and* you want to restrict the *remote* machines to be ssh-connectable only from that LAN (which is a good security measure) *and* you are on the road you can still work on your remote machine by VPNing into your LAN. There are other solutions, but VPN is probably the easiest one as most SOHO routers should be able to terminate a VPN and it's likely that you want to connect to your LAN via VPN for other purposes, anyway. Doing that for the machines *within* your LAN is granted.
Kai
if the machines are within the LAN, yes. My original point was that if you have a static IP address for your local LAN *and* you want to restrict the *remote* machines to be ssh-connectable only from that LAN (which is a good security measure) *and* you are on the road you can still work on your remote machine by VPNing into your LAN. There are other solutions, but VPN is probably the easiest one as most SOHO routers should be able to terminate a VPN and it's likely that you want to connect to your LAN via VPN for other purposes, anyway. Doing that for the machines *within* your LAN is granted.
openvpn is perfect for this sort of situation -
-
Bowie Bailey -
Kai Schaetzl -
Tom Brown